SSL interception certificate store
An SSL certificate, which is an integral part of any SSL transaction, is a digital data form (X509) that identifies a company (domain) or an individual. An SSL certificate is issued by a certificate authority (CA). A CA can be private or public. Certificates issued by public CAs, such as Verisign, are trusted by applications that conduct SSL transactions. These applications maintain a list of CAs that they trust.
As a forward proxy, a Citrix Secure Web Gateway (SWG) appliance performs encryption and decryption of traffic between a client and a server. It acts as a server to the client (user) and as a client to the server. Before an appliance can process HTTPS traffic, it must validate the identity of a server to prevent any fraudulent transactions. Therefore, as a client to the origin server, the appliance must verify the origin server certificate before accepting it. To verify a server’s certificate, all the certificates (for example, root and intermediate certificates) that are used to sign and issue the server certificate must be present on the appliance. A default set of CA certificates is preinstalled on an appliance. The Citrix SWG can use these certificates to verify almost all of the common origin-server certificates. This default set cannot be modified. However, if your deployment requires more CA certificates, you can create a bundle of such certificates and import the bundle to the appliance. A bundle can also contain a single certificate.
When you import a certificate bundle to the appliance, the appliance downloads the bundle from the remote location and, after verifying that the bundle contains only certificates, installs it on the appliance. You must apply a certificate bundle before you can use it to validate a server certificate. You can also export a certificate bundle for editing or to store it in an offline location as a backup.
Import and apply a CA certificate bundle on the appliance by using the Citrix SWG CLI
At the command prompt, type:
import ssl certBundle <name> <src>
<!--NeedCopy-->
apply ssl certBundle <name>
<!--NeedCopy-->
show ssl certBundle
<!--NeedCopy-->
ARGUMENTS:
Name:
Name to assign to the imported certificate bundle. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my file” or ‘my file’).
Maximum Length: 31
src:
URL specifying the protocol, host, and path, including file name, to the certificate bundle to be imported or exported. For example, http://www.example.com/cert\_bundle\_file.
NOTE: The import fails if the object to be imported is on an HTTPS server that requires client certificate authentication for access.
Maximum Length: 2047
Example:
import ssl certbundle swg-certbundle http://www.example.com/cert_bundle
<!--NeedCopy-->
apply ssl certBundle swg-certbundle
<!--NeedCopy-->
show ssl certbundle
Name : swg-certbundle(Inuse)
URL : http://www.example.com/cert_bundle
Done
<!--NeedCopy-->
Import and apply a CA certificate bundle on the appliance by using the Citrix SWG GUI
- Navigate to Secure Web Gateway > Getting Started > Certificate Bundles.
- Do one of the following:
- Select a certificate bundle from the list.
- To add a new certificate bundle, click “+” and specify a name and source URL. Click OK.
- Click OK.
Remove a CA certificate bundle from the appliance by using the CLI
At the command prompt, type:
remove certBundle <cert bundle name>
<!--NeedCopy-->
Example:
remove certBundle mytest-cacert
<!--NeedCopy-->
Export a CA certificate bundle from the appliance by using the Citrix SWG CLI
At the command prompt, type:
export certBundle <cert bundle name> <Path to export>
<!--NeedCopy-->
ARGUMENTS:
Name:
Name to assign to the imported certificate bundle. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my file” or ‘my file’).
Maximum Length: 31
src:
URL specifying the protocol, host, and path, including file name, to the certificate bundle to be imported or exported. For example, http://www.example.com/cert\_bundle\_file.
NOTE: The import fails if the object to be imported is on an HTTPS server that requires client certificate authentication for access.
Maximum Length: 2047
Example:
export certBundle mytest-cacert http://192.0.2.20/
<!--NeedCopy-->
Import, apply, and verify a CA certificate bundle from the Mozilla CA certificate store
At the command prompt, type:
> import certbundle mozilla_public_ca https://curl.haxx.se/ca/cacert.pem
Done
<!--NeedCopy-->
To apply the bundle, type:
> apply certbundle mozilla_public_ca
Done
<!--NeedCopy-->
To verify the certificate bundle in use, type:
> sh certbundle | grep mozilla
Name : mozilla_public_ca (Inuse)
<!--NeedCopy-->
Limitation
Certificate bundles are not supported in a cluster setup, or on a partitioned appliance.
In this article
- Import and apply a CA certificate bundle on the appliance by using the Citrix SWG CLI
- Import and apply a CA certificate bundle on the appliance by using the Citrix SWG GUI
- Remove a CA certificate bundle from the appliance by using the CLI
- Export a CA certificate bundle from the appliance by using the Citrix SWG CLI
- Limitation