cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2963
Views
2
Helpful
4
Replies

How to export private key, which HTTPS proxy uses for mimic certificates

Maros RAJNOCH
Level 1
Level 1

Hello dear wsa security fans,

on my WSA (AsyncOS 10.5.1-296) I configured HTTPS proxy — using Intermediate CA (uploaded private key & certificate), as you can see on attached screenshot.

My question is where can I export RSA private key, which WSA uses for inner communication with clients, the private key, whose public key is used in the dynamicaly generated mimic certificate.

Thanks.

4 Replies 4

Maros RAJNOCH
Level 1
Level 1

I tried XML config export, but the key from my question is not included there.

Hello,

WSA doesn't provide a mechanism to export private keys as this will be a security hole if this is allowed. Also, in case of other encryption mechanism keys are setup for each session, so exporting keys will not help.

Since you want keys from WSA, I am assuming you want to decrypt the https content again, what is your use case to do that? In next release of WSA, we are adding a Web Traffic Tap feature that will enable customers to configure the tap interface to copy the decrypted traffic out. This can be used for offline passive analysis of the traffic.

Let me know in case you need any further information.

Thanks

Sapan

Sapan hi,

You right, I'm looking for various scenarios for pasive SSL/TLS decryption. This can be done, if SSL/TLS leg between client and proxy doesn't use PFS. Meantime, I got info, that WSA can't setup ciphers independently for leg between client-proxy, and leg between proxy-web_server, so this is another show stopper for me.

However, new feature – traffic tap – will be solution I'm looking for.

Thanks.

Hello Sapan,

Does the TAP feature is in the actual release of WSA?

Else, do you know when it will be available?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: