笔者在使用Bluecoat SG做网页代理时,需要对SSL连接进行统一验证,因此需要向域CA服务器申请一张Subordinate CA证书。
下文介绍了怎样申请这张证书。
因为参考文档都是英文的,比较简单就不翻译了, 只有注释的地方用中文。
Step 1: Create a keyring and CSR on the ProxySG appliance
In the Management Console, select Configuration > Keyrings > Create.
After you create the CSR, click OK > Apply.
Select the keyring again and click Edit.
Copy the data that you see under Certificate Signing Request.
Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring
Go to the Microsoft Certificate Service.
Click Next.
A Certificate Issued page appears.
Then, locate the downloaded certificate and open it in a text editor.
这里有个问题,有时直接在Web页面申请证书没有Subordinate CA这个类型。这个问题也困扰了我,还好有谷歌,找到用PowerShell直接申请的方法:
登录到CA服务器,用Administrator打开PowerShell运行
PS D:\SSL_CERT> certreq -submit -attrib "CertificateTemplate:SubCA"
其中D:\SSL_CERT为证书请求存放的路径
选择刚才的请求证书文件 SSL-Interception_request.cer;
选择域CA根证书;
保存为 SSL_Interception_Cert.cer
Copy the contents of the file.
In the ProxySG Management Console, select Configuration > SSL > Keyrings.
Select the keyring you created and click Edit.
Click OK > Close > Apply.
Step 3: Import the certificate signed by the PKI system to be used with SSL interception In the ProxySG Management Console, select Configuration > SSL > CA Certificates > Import.
Paste the certificate that you created on your Microsoft Certificate Server, as well as the Intermediate CA Certificates from the Internal PKI chain.
Click OK > Apply.
Select Configuration > SSL > CA Certificates > CA Certificate Lists > Browser Trusted and click Edit.
Select the new Certificate that you just created as well as the Intermediate CA Certificates from the Internal PKI chain, and move them to the column on the right.
Click OK > Apply.
Step 4: Configure the ProxySG appliance to perform SSL interception
Confirm that the HTTP service on the ProxySG appliance is configured correctly. In the Management Console, select Configuration > Services > Proxy Services.
In this example the ProxySG appliance is set to use the default Explicit HTTP service:
In this example, the appliance is configured to intercept HTTP traffic on ports 80 and 8080, and the Detect Protocol option is enabled.
This must be enabled for SSL interception to work.After you confirm or configure the HTTP service, configure policy rules and layers in the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager > Launch.In the following example, the VPM policy only contains two layers:
The Web Access Layer is set to Allow any Source and any Destination to access the internet.
The SSL Interception Layer contains one rule, which is set to SSL intercept Any source and Any destination.
Enable HTTPS Interception. Set the Issuer Keyring to the keyring that you have created:
Step 5: Check the certificate in a browser
这里可以用GPO将STEP 3生成的证书部署到域中,用户就不会感觉到变化,仔细的用户会看到SSL证书已经被替换为次级CA服务器签发的证书。
You can now run test using a computer that is a member of the domain of which the Microsoft Certificate Server is a member.
Check the certificate that is provided to the browser, as in the following example:
参考链接:
https://support.symantec.com/en_US/article.TECH244873.html
