Bluecoat SG Proxy 部署SSL Interception证书

笔者在使用Bluecoat SG做网页代理时,需要对SSL连接进行统一验证,因此需要向域CA服务器申请一张Subordinate CA证书。
下文介绍了怎样申请这张证书。
因为参考文档都是英文的,比较简单就不翻译了, 只有注释的地方用中文。

Step 1: Create a keyring and CSR on the ProxySG appliance
In the Management Console, select Configuration > Keyrings > Create.

Create the keyring and click Apply.Next, create a Certificate Signing Request (CSR) from the keyring. Select the keyring you just created and click Edit.
The following is an example of the Create Certificate Signing Request dialog:
Create the CSR. For the Common Name, the image above shows an example of an appliance proxyhostname.
After you create the CSR, click OK > Apply.
Select the keyring again and click Edit.
Copy the data that you see under Certificate Signing Request.
Paste the contents into a text editor such as Notepad.

Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring
Go to the Microsoft Certificate Service.

Select Request a certificate > Advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
Change the Certificate Template selection to Subordinate Certificate Authority.
Click Next.
A Certificate Issued page appears.
Click Download Certificate.
Then, locate the downloaded certificate and open it in a text editor.

这里有个问题,有时直接在Web页面申请证书没有Subordinate CA这个类型。这个问题也困扰了我,还好有谷歌,找到用PowerShell直接申请的方法:
登录到CA服务器,用Administrator打开PowerShell运行

PS D:\SSL_CERT> certreq -submit -attrib "CertificateTemplate:SubCA"

其中D:\SSL_CERT为证书请求存放的路径
选择刚才的请求证书文件 SSL-Interception_request.cer
选择域CA根证书
保存为 SSL_Interception_Cert.cer

Copy the contents of the file.
In the ProxySG Management Console, select Configuration > SSL > Keyrings.
Select the keyring you created and click Edit.

On the Edit Keyring page, click Import, and paste the contents of the copied certificate.
Click OK > Close > Apply.

Step 3: Import the certificate signed by the PKI system to be used with SSL interception In the ProxySG Management Console, select Configuration > SSL > CA Certificates > Import.
Paste the certificate that you created on your Microsoft Certificate Server, as well as the Intermediate CA Certificates from the Internal PKI chain.
Click OK > Apply.
Select Configuration > SSL > CA Certificates > CA Certificate Lists > Browser Trusted and click Edit.
Select the new Certificate that you just created as well as the Intermediate CA Certificates from the Internal PKI chain, and move them to the column on the right.
Click OK > Apply.

Step 4: Configure the ProxySG appliance to perform SSL interception
Confirm that the HTTP service on the ProxySG appliance is configured correctly. In the Management Console, select Configuration > Services > Proxy Services.
In this example the ProxySG appliance is set to use the default Explicit HTTP service:

User-added image

In this example, the appliance is configured to intercept HTTP traffic on ports 80 and 8080, and the Detect Protocol option is enabled.
This must be enabled for SSL interception to work.After you confirm or configure the HTTP service, configure policy rules and layers in the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager > Launch.In the following example, the VPM policy only contains two layers:
The Web Access Layer is set to Allow any Source and any Destination to access the internet.
The SSL Interception Layer contains one rule, which is set to SSL intercept Any source and Any destination.

User-added image
User-added image
Create the SSL intercept policy. The SSL Interception Layer might look like this at first:
User-added image
Right click None under Action, and select Set.
User-added image
Click New and select Enable SSL Interception.
User-added image
In this example, keep the default option
Enable HTTPS Interception. Set the
Issuer Keyring
to the keyring that you have created:
User-added image
Click OK. Then, install policy by clicking Install Policy.

Step 5: Check the certificate in a browser
这里可以用GPO将STEP 3生成的证书部署到域中,用户就不会感觉到变化,仔细的用户会看到SSL证书已经被替换为次级CA服务器签发的证书。
You can now run test using a computer that is a member of the domain of which the Microsoft Certificate Server is a member.
Check the certificate that is provided to the browser, as in the following example:

User-added image

参考链接:
https://support.symantec.com/en_US/article.TECH244873.html

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 212,080评论 6 493
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,422评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,630评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,554评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,662评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,856评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,014评论 3 408
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,752评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,212评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,541评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,687评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,347评论 4 331
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,973评论 3 315
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,777评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,006评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,406评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,576评论 2 349

推荐阅读更多精彩内容