Bluecoat SG Proxy 部署SSL Interception證書

筆者在使用Bluecoat SG做網頁代理時,需要對SSL連接進行統一驗證,因此需要向域CA服務器申請一張Subordinate CA證書。
下文介紹了怎樣申請這張證書。
因為參考文檔都是英文的,比較簡單就不翻譯了, 只有注釋的地方用中文。

Step 1: Create a keyring and CSR on the ProxySG appliance
In the Management Console, select Configuration > Keyrings > Create.

Create the keyring and click Apply.Next, create a Certificate Signing Request (CSR) from the keyring. Select the keyring you just created and click Edit.
The following is an example of the Create Certificate Signing Request dialog:
Create the CSR. For the Common Name, the image above shows an example of an appliance proxyhostname.
After you create the CSR, click OK > Apply.
Select the keyring again and click Edit.
Copy the data that you see under Certificate Signing Request.
Paste the contents into a text editor such as Notepad.

Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring
Go to the Microsoft Certificate Service.

Select Request a certificate > Advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
Change the Certificate Template selection to Subordinate Certificate Authority.
Click Next.
A Certificate Issued page appears.
Click Download Certificate.
Then, locate the downloaded certificate and open it in a text editor.

這里有個問題,有時直接在Web頁面申請證書沒有Subordinate CA這個類型。這個問題也困擾了我,還好有谷歌,找到用PowerShell直接申請的方法:
登錄到CA服務器,用Administrator打開PowerShell運行

PS D:\SSL_CERT> certreq -submit -attrib "CertificateTemplate:SubCA"

其中D:\SSL_CERT為證書請求存放的路徑
選擇剛才的請求證書文件 SSL-Interception_request.cer;
選擇域CA根證書;
保存為 SSL_Interception_Cert.cer

Copy the contents of the file.
In the ProxySG Management Console, select Configuration > SSL > Keyrings.
Select the keyring you created and click Edit.

On the Edit Keyring page, click Import, and paste the contents of the copied certificate.
Click OK > Close > Apply.

Step 3: Import the certificate signed by the PKI system to be used with SSL interception In the ProxySG Management Console, select Configuration > SSL > CA Certificates > Import.
Paste the certificate that you created on your Microsoft Certificate Server, as well as the Intermediate CA Certificates from the Internal PKI chain.
Click OK > Apply.
Select Configuration > SSL > CA Certificates > CA Certificate Lists > Browser Trusted and click Edit.
Select the new Certificate that you just created as well as the Intermediate CA Certificates from the Internal PKI chain, and move them to the column on the right.
Click OK > Apply.

Step 4: Configure the ProxySG appliance to perform SSL interception
Confirm that the HTTP service on the ProxySG appliance is configured correctly. In the Management Console, select Configuration > Services > Proxy Services.
In this example the ProxySG appliance is set to use the default Explicit HTTP service:

User-added image

In this example, the appliance is configured to intercept HTTP traffic on ports 80 and 8080, and the Detect Protocol option is enabled.
This must be enabled for SSL interception to work.After you confirm or configure the HTTP service, configure policy rules and layers in the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager > Launch.In the following example, the VPM policy only contains two layers:
The Web Access Layer is set to Allow any Source and any Destination to access the internet.
The SSL Interception Layer contains one rule, which is set to SSL intercept Any source and Any destination.

User-added image
User-added image
Create the SSL intercept policy. The SSL Interception Layer might look like this at first:
User-added image
Right click None under Action, and select Set.
User-added image
Click New and select Enable SSL Interception.
User-added image
In this example, keep the default option
Enable HTTPS Interception. Set the Issuer Keyring to the keyring that you have created:
User-added image
Click OK. Then, install policy by clicking Install Policy.

Step 5: Check the certificate in a browser
這里可以用GPO將STEP 3生成的證書部署到域中,用戶就不會感覺到變化,仔細的用戶會看到SSL證書已經被替換為次級CA服務器簽發的證書。
You can now run test using a computer that is a member of the domain of which the Microsoft Certificate Server is a member.
Check the certificate that is provided to the browser, as in the following example:

User-added image

參考鏈接:
https://support.symantec.com/en_US/article.TECH244873.html

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容

  • 如果一個人也說喜歡你,但是,他很忙,總是沒時間陪你,千萬別當真。因為真正喜歡你的人不會把忙當理由與借口,同時真...
    初光i閱讀 13,304評論 0 3
  • Java
    7hens閱讀 163評論 0 0
  • 糊里糊涂撿來的一段戀愛,越來越深刻了。 剛寫下第一句,鼻子酸了,喉嚨哽咽了,整張臉都仿佛在傷心地往下拉扯,心里和腦...
    小胖君閱讀 432評論 0 0
  • 新手,純玩。靈感來自于,截圖。 我們何不選擇,去大自然任性截圖呢~
    楠蘭閱讀 145評論 0 0
  • CentOS 7 安裝成功后可能已經默認安裝了OpenJDK的JRE,但平時進行JAVA開發時需要用完整的JDK,...
    小魚愛小蝦閱讀 763評論 0 1