笔者在使用Bluecoat SG做网页代理时,需要对SSL连接进行统一验证,因此需要向域CA服务器申请一张Subordinate CA证书。
下文介绍了怎样申请这张证书。
因为参考文档都是英文的,比较简单就不翻译了, 只有注释的地方用中文。
Step 1: Create a keyring and CSR on the ProxySG appliance
In the Management Console, select Configuration > Keyrings > Create.
Create the keyring and click Apply.Next, create a Certificate Signing Request (CSR) from the keyring. Select the keyring you just created and click Edit.
The following is an example of the Create Certificate Signing Request dialog:
Create the CSR. For the Common Name, the image above shows an example of an appliance proxyhostname.After you create the CSR, click OK > Apply.
Select the keyring again and click Edit.
Copy the data that you see under Certificate Signing Request.
Paste the contents into a text editor such as Notepad.
Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring
Go to the Microsoft Certificate Service.
Select Request a certificate > Advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
Change the Certificate Template selection to Subordinate Certificate Authority.Click Next.
A Certificate Issued page appears.
Click Download Certificate.Then, locate the downloaded certificate and open it in a text editor.
这里有个问题,有时直接在Web页面申请证书没有Subordinate CA这个类型。这个问题也困扰了我,还好有谷歌,找到用PowerShell直接申请的方法:
登录到CA服务器,用Administrator打开PowerShell运行
PS D:\SSL_CERT> certreq -submit -attrib "CertificateTemplate:SubCA"
其中D:\SSL_CERT为证书请求存放的路径
选择刚才的请求证书文件 SSL-Interception_request.cer;
选择域CA根证书;
保存为 SSL_Interception_Cert.cer
Copy the contents of the file.
In the ProxySG Management Console, select Configuration > SSL > Keyrings.
Select the keyring you created and click Edit.
On the Edit Keyring page, click Import, and paste the contents of the copied certificate.Click OK > Close > Apply.
Step 3: Import the certificate signed by the PKI system to be used with SSL interception In the ProxySG Management Console, select Configuration > SSL > CA Certificates > Import.
Paste the certificate that you created on your Microsoft Certificate Server, as well as the Intermediate CA Certificates from the Internal PKI chain.
Click OK > Apply.
Select Configuration > SSL > CA Certificates > CA Certificate Lists > Browser Trusted and click Edit.
Select the new Certificate that you just created as well as the Intermediate CA Certificates from the Internal PKI chain, and move them to the column on the right.
Click OK > Apply.
Step 4: Configure the ProxySG appliance to perform SSL interception
Confirm that the HTTP service on the ProxySG appliance is configured correctly. In the Management Console, select Configuration > Services > Proxy Services.
In this example the ProxySG appliance is set to use the default Explicit HTTP service:
User-added image
In this example, the appliance is configured to intercept HTTP traffic on ports 80 and 8080, and the Detect Protocol option is enabled.
This must be enabled for SSL interception to work.After you confirm or configure the HTTP service, configure policy rules and layers in the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager > Launch.In the following example, the VPM policy only contains two layers:
The Web Access Layer is set to Allow any Source and any Destination to access the internet.
The SSL Interception Layer contains one rule, which is set to SSL intercept Any source and Any destination.
User-added image
User-added image
Create the SSL intercept policy. The SSL Interception Layer might look like this at first:
User-added image
Right click None under Action, and select Set.
User-added image
Click New and select Enable SSL Interception.
User-added image
In this example, keep the default optionEnable HTTPS Interception. Set the Issuer Keyring to the keyring that you have created:
User-added image
Click OK. Then, install policy by clicking Install Policy.
Step 5: Check the certificate in a browser
这里可以用GPO将STEP 3生成的证书部署到域中,用户就不会感觉到变化,仔细的用户会看到SSL证书已经被替换为次级CA服务器签发的证书。
You can now run test using a computer that is a member of the domain of which the Microsoft Certificate Server is a member.
Check the certificate that is provided to the browser, as in the following example:
User-added image
参考链接:
https://support.symantec.com/en_US/article.TECH244873.html
网友评论