Hello dear wsa security fans,
on my WSA (AsyncOS 10.5.1-296) I configured HTTPS proxy — using Intermediate CA (uploaded private key & certificate), as you can see on attached screenshot.
My question is where can I export RSA private key, which WSA uses for inner communication with clients, the private key, whose public key is used in the dynamicaly generated mimic certificate.
WSA doesn't provide a mechanism to export private keys as this will be a security hole if this is allowed. Also, in case of other encryption mechanism keys are setup for each session, so exporting keys will not help.
Since you want keys from WSA, I am assuming you want to decrypt the https content again, what is your use case to do that? In next release of WSA, we are adding a Web Traffic Tap feature that will enable customers to configure the tap interface to copy the decrypted traffic out. This can be used for offline passive analysis of the traffic.
Let me know in case you need any further information.
You right, I'm looking for various scenarios for pasive SSL/TLS decryption. This can be done, if SSL/TLS leg between client and proxy doesn't use PFS. Meantime, I got info, that WSA can't setup ciphers independently for leg between client-proxy, and leg between proxy-web_server, so this is another show stopper for me.
However, new feature – traffic tap – will be solution I'm looking for.