Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SWG SSL Certificate

Created: 04 Jan 2013 • Updated: 04 Jan 2013 | 13 comments
Atif's picture

Hi Guys,

We need to implement SSL Deep Inspection on SWG 8450 boxes at client side. They want to use internal self signed SSL certificate in their Windows domain environment. Client has their own internal CA Authroity service running on MS PKI server. Client does not want to deploy SSL ceritifcate on each endpoint manually. They want to use their PKI server to establish trust for this self signed certificate so that when user browses any https website, they dont get certificate error.

We have done following steps to create key, certificate signing request (CSR) and certificate but when we browse https websites using SWG boxes, we get certificate verification error.

We create a key using openssl (for windows) by using following command.

openssl.exe genrsa -out abc430.key 2048

Then we generate a CSR using above key.

openssl.exe req -new -key abc430.key -out abc430.csr (CSR is attached).

Then we use the above CSR to generate SSL certificate through MS PKI service using Subordinate Certificate Authority template. (Certificate file is attached and below are provided screenshots).

Then we import this certificate into SWG and import is successful.

But when we browse the Internet and use any https website, we get certificate verification error. Although SWG logs show proper SSL Interception.

 

 

Discussion Filed Under:

Comments 13 CommentsJump to latest comment

BenDC's picture

Certificate errors seen on the browser would be because it is not trusted by your workstation(s). This would be a matter of importing the cert to the browswers or using a CA signed certificate for the SWG.

SMLatCST's picture

I don't see any attachments, what is the certificate error being generated on your clients?

Atif's picture

BenDC,

We are using self-signed certificate which is added in local CA subordiante authority (Windows domain environment). We have added the certificate under trusted certificates so that all endpoints connecting to AD/DC wont get validation error due to the fact that local CA server validates it.

I hope I made my point clear.

BenDC's picture

If the browser is thowing a certificate error the issue is most likely to be with the certificate.

You also have not specified what the error is or where the error is seen.

 

SMLatCST's picture

I'm a little unclear on what has been done here...

Is this a self-signed cert, or one signed and issued by your Internal Root/Subordinate CA?

If it's the former, then you're going to have to install that cert into each and every endpoint in your environment; if the latter, then the screenshots of the certificate warnings you're seeing (that you said you had in your OP) would be useful.

Atif's picture

This is a self signed certificate. We generated CSR through openssl as mentioned in the first post. Then we used that CSR and created a self signed certificate through our own DC PKI server and import that certificate into SWG.

The point is any certificate created by PKI is considered trusted for local domain but in this case when a enduser browses any https website, he/she gets below error which should not be the case when SWG has SSL certificate entrusted by our local Microsoft CA server.

Self-Signed SSL Certificate imported into SWG.

Error

SMLatCST's picture

This is not a self-signed certificate if it was signed by your internal subordinate CA.  This is causing confusion and is hindering us from helping you.  Presumably the cert says it was "Issued to" your SWG and "Issued by" your CA, therefore it is not self-signed.

Can you give us as idea of the actual errors (feel free to blank out any personally identifiable information) the users are seeing.  Does it say the certificate is expired/revoked/untrusted/address doesn't match/etc?

Atif's picture

Yes, this is correct that it is not a self-signed certificate.

The only problem is that users are getting security warning while browsing https websites. Ideally when a local CA server issued this certificate, it should be trusted by endusers browsers and no such warning should be dispalyed.

Please let me know if further info is required.

SMLatCST's picture

Yup, if you could tell us what the actual certificate error is, this would help.  There is usually more detail available that would indicate if it was an validity issue/trust issue/address issue/etc.

When you click on the certificate error in the browser, the General tab will give you some of this information.

Atif's picture

There is no error certificate. My point is users should not see certificate warning if a local CA (Domain environment) validates it.

BenDC's picture

The screenshot you provided clearly shows the broswer is not trusting that certificate.

Atif's picture

Ben, 

We know that browser is not trusting. The question is the certificate was generated by PKI and should be trusted but as per my discussion with SWG expert this is some internal coding issue with SWG as it does not build proper chain for the provided certificate due to which browsers dont trust SSL certificates on SWG.

ADILT's picture

Team,

did we find a solution to this error or there isnt a solution at the moment.

Thank

ADanso