HTTPs Proxy

Unanswered Question
Jan 23rd, 2009
User Badges:

I have enabled HTTPS proxy in some boxes and generate a local certificate but after this some sites are not accessing, some are because of invalid certificate and some are saying "Bad request". Can i have a valid certificate so this problem can be resolved.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jowolfer Fri, 01/23/2009 - 16:32
User Badges:

You need to use a Root certificate to create decryption certificates on the fly. You will not be able to obtain a certificate that is already trusted by web browsers.

The only way that your clients will trust the WSA in HTTPS decryption mode, is if you install the Root decryption certificate from the WSA onto all of your clients. Or - if you already have a trusted root certificate in your IT infrastructure, you can import that into the WSA to be used.

One common method of pushing the WSA root certificate to all clients is via Group Policy in Active Directory. This will only affect IE, not other browsers such as FireFox, Opera, or Safari.

mac.til_ironport Sat, 01/24/2009 - 04:31
User Badges:

But the problem is thhile downloading at some sites like microsoft are giving certificate error while downloading the update saying that 'certificate date and time are invaild'

jowolfer Mon, 01/26/2009 - 15:43
User Badges:

Mac,

I'm not sure about Microsoft specifically, but there are many sites / applications that will verify that the certificate being presented is the 'original' certificate that the server was sending.

Decrypting the stream means that the WSA has to generate a new certificate on the fly and spoof the original values.

Intelligent software, such as iTunes, realizes that the certificate is not really from Apple and terminates the connection. In this case, there is nothing you can do except set these servers to "pass through" instead of decrypt.

Actions

This Discussion