SWG SSL Certificate
We need to implement SSL Deep Inspection on SWG 8450 boxes at client side. They want to use internal self signed SSL certificate in their Windows domain environment. Client has their own internal CA Authroity service running on MS PKI server. Client does not want to deploy SSL ceritifcate on each endpoint manually. They want to use their PKI server to establish trust for this self signed certificate so that when user browses any https website, they dont get certificate error.
We have done following steps to create key, certificate signing request (CSR) and certificate but when we browse https websites using SWG boxes, we get certificate verification error.
We create a key using openssl (for windows) by using following command.
openssl.exe genrsa -out abc430.key 2048
Then we generate a CSR using above key.
openssl.exe req -new -key abc430.key -out abc430.csr (CSR is attached).
Then we use the above CSR to generate SSL certificate through MS PKI service using Subordinate Certificate Authority template. (Certificate file is attached and below are provided screenshots).
Then we import this certificate into SWG and import is successful.
But when we browse the Internet and use any https website, we get certificate verification error. Although SWG logs show proper SSL Interception.