HTTPS CAs
On the Web Security >> Web Filtering >> HTTPS CAs tab you can manage Signing and Verification Certificate Authorities (CAs) for HTTPS connections.
Signing CA
In this area you can upload your Signing CA certificate, regenerate the Signing CA certificate, or download the existing Signing CA certificate. By default, the Signing CA certificate is created according to the information provided during setup, i.e. it is consistent with the information on the Management >> System Settings >> Organizational tab—unless there have been any changes applied since.
...
To download the Signing CA certificate, proceed as follows:
Click the button Download.
The Download Certificate File dialog box opens.
Select the file format to download.
You can choose between two different formats:
PKCS#12: This format will be encrypted, so enter an export password.
PEM: Unencrypted format.
Click Save.
The file will be saved.
If you use certificates for your internal webservers signed by a custom CA, it is advisable to upload this CA certificate to WebAdmin as Trusted Certificate Authority. Otherwise users will be prompted with an error message by the Web Filter claiming to be confronted with an untrustworthy server certificate.
To facilitate supplying client PCs with the proxy CA certificate, users can download the certificate themselves via passthrough.fw-notify.net/cacert.pem and install it in their browser. The website request is directly accepted and processed by the proxy. It is therefore necessary to enable the Web Filter on the Web Filtering >> Global tab first.
Note - In case the proxy's operation mode is not Transparent Mode the proxy has to be enabled in the user's browser. Otherwise the certificate download link will not be accessible.
Alternatively, if the User Portal is enabled, users can download the proxy CA certificate from the User Portal, tab HTTPS Proxy.
Preventing HTTPS Problems
When using HTTPS, Windows system programs like Windows Update and Windows Defender will not be able to establish connections because they are run with system user rights. However, this user, by default, does not trust the proxy CA. It is therefore necessary to import the HTTPS proxy CA certificate for the system user. Do the following:
In Windows, open the Microsoft Management Console (mmc).
Click on the File menu and then Add/Remove Snap-in.
The Add or Remove Snap-ins dialog window opens.
Click Add at the bottom of the window.
The dialog window Add Standalone Snap-In opens.
Select Certificates from the list and click Add.
A wizard appears.
Select Computer account and click Next.
Make sure that Local computer is selected and click Finish and then Close.
The first dialog window now contains the item Certificates (Local Computer).
Click OK.
The dialog window closes and the Console Root now contains the item Certificates (Local Computer).
In the Console Root window on the left open Certificates >> Trusted Root Certification Authorities, right-click Certificates and select All Tasks >> Import from the context menu.
The import dialog wizard opens.
Click Next.
The next wizard step is displayed.
Browse to the previously downloaded HTTPS proxy CA certificate, click Open and then Next.
The next wizard step is displayed.
Make sure that Place all certificates in the following store is selected and click Next and Close.
The wizard reports the import success.
Confirm the wizard's message.
The proxy CA certificate is now displayed among the trusted certificates.
Save the changes.
Click on the File menu and then Save to save the changes on the Console Root.
After importing, the CA is system-widely accepted and connection problems resulting from the HTTPS proxy should not occur.
Verification CAs
This area allows you to manage Verifications CAs. Those are Certificate Authorities you trust in the first place, i.e. websites presenting valid certificates signed by these CAs are regarded trustworthy by the HTTPS proxy.
Local Verification CAs: You can upload Verification CAs additionally to the CA list below. Proceed as follows:
Click the folder icon next to the Upload Local CA field.
The Upload File dialog box opens.
Select the certificate to upload.
Click Browse and select the CA certificate to upload.
Upload the certificate.
Click Start Upload to upload the selected CA certificate.
The certificate will be installed and displayed in the Local Verification CAs area.
Global Verification CAs: The list of Verification CAs shown here is identical to the Verification CAs pre-installed by Mozilla Firefox. However, you can disable one or all Verification CAs of the list if you do not regard them as trustworthy. To revoke a CA's certificate click its status icon. The status icon turns red and the HTTPS proxy will no longer accept websites signed by this CA.
Tip - Click the blue information icon to see the fingerprint of a CA.
The HTTPS proxy will present a "Blocked Content" error page to a client if the CA is unknown or disabled. However, you can create an exception for such pages: either via the Create Exception link on the error page of the Web Filter or via the Web Security >> Web Filtering >> Exceptions tab.
Note - When clicking the Create Exception link on the Web Filter error page a login dialog window is presented. Only users with admin rights are allowed to create exceptions.
Copied out of the ASG online help...
... BTW: iOS devices has to be excluded from SSL scanning, because iOS accepts only SHA signed CA certificates, and Astaro Webproxy uses MD5 signed certificates. Thank you for (not) making us life easier Apple [;)] Preventing users from their freedom with unnecessary boundaries...
Hope this helps.
