Product Documentation

SSL interception certificate store

An SSL certificate, which is an integral part of any SSL transaction, is a digital data form (X509) that identifies a company (domain) or an individual. An SSL certificate is issued by a certificate authority (CA). A CA can be private or public. Certificates issued by public CAs, such as Verisign, are trusted by applications that conduct SSL transactions. These applications maintain a list of CAs that they trust.

As a forward proxy, a NetScaler Secure Web Gateway (SWG) appliance performs encryption and decryption of traffic between a client and a server. It acts as a server to the client (user) and as a client to the server. Before an appliance can process HTTPS traffic, it must validate the identity of a server to prevent any fraudulent transactions. Therefore, as a client to the origin server, the appliance must verify the origin server certificate before accepting it. To verify a server’s certificate, all the certificates (for example, root and intermediate certificates) that are used to sign and issue the server certificate must be present on the appliance. A default set of CA certificates is preinstalled on an appliance. The NetScaler SWG can use these certificates to verify almost all of the common origin-server certificates. This default set cannot be modified. However, if your deployment requires additional CA certificates, you can create a bundle of such certificates and import the bundle to the appliance. A bundle can also contain a single certificate.

When you import a certificate bundle to the appliance, the appliance downloads the bundle from the remote location and, after verifying that the bundle contains only certificates, installs it on the appliance. You must apply a certificate bundle before you can use it to validate a server certificate. You can also export a certificate bundle for editing or to store it in an offline location as a backup.

Import and apply a CA certificate bundle on the appliance by using the NetScaler SWG CLI

At the command prompt, type:

import ssl certBundle <name> <src>
apply ssl certBundle <name>
show ssl certBundle

ARGUMENTS:

name:

              Name to assign to the imported certificate bundle. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my file” or ‘my file’).

Maximum Length: 31

src:

              URL specifying the protocol, host, and path, including file name, to the certificate bundle to be imported or exported. For example, http://www.example.com/cert\_bundle\_file.

NOTE: The import fails if the object to be imported is on an HTTPS server that requires client certificate authentication for access.

Maximum Length: 2047

Example:

import ssl certbundle swg-certbundle http://www.example.com/cert_bundle
apply ssl certBundle swg-certbundle
show ssl certbundle

            Name : swg-certbundle(Inuse)

            URL : http://www.example.com/cert_bundle

    Done

Import and apply a CA certificate bundle on the appliance by using the NetScaler SWG GUI

  1. Navigate to Secure Web Gateway > Getting Started > Certificate Bundles.
  2. Do one of the following:
    • Select a certificate bundle from the list.
    • To add a new certificate bundle, click “+” and specify a name and source URL. Click OK.
  3. Click OK.

Remove a CA certificate bundle from the appliance by using the CLI

At the command prompt, type:

remove certBundle <cert bundle name>

Example:

remove certBundle mytest-cacert

Export a CA certificate bundle from the appliance by using the NetScaler SWG CLI

At the command prompt, type:

export certBundle <cert bundle name> <Path to export>

ARGUMENTS:

name:

              Name to assign to the imported certificate bundle. Must begin with an ASCII alphanumeric or underscore (_) character, and must  contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my file” or ‘my file’).

Maximum Length: 31

src:

              URL specifying the protocol, host, and path, including file name, to the certificate bundle to be imported or exported. For example, http://www.example.com/cert\_bundle\_file.

NOTE: The import fails if the object to be imported is on an HTTPS server that requires client certificate authentication for access.

Maximum Length: 2047

Example:

export certBundle mytest-cacert http://192.0.2.20/

Limitation

Certificate bundles are not supported in a cluster setup, or on a partitioned appliance.