HTTPs Proxy

mac.til_ironport · ‎01-23-2009

I have enabled HTTPS proxy in some boxes and generate a local certificate but after this some sites are not accessing, some are because of invalid certificate and some are saying "Bad request". Can i have a valid certificate so this problem can be resolved.

jowolfer · ‎01-23-2009

You need to use a Root certificate to create decryption certificates on the fly. You will not be able to obtain a certificate that is already trusted by web browsers.

The only way that your clients will trust the WSA in HTTPS decryption mode, is if you install the Root decryption certificate from the WSA onto all of your clients. Or - if you already have a trusted root certificate in your IT infrastructure, you can import that into the WSA to be used.

One common method of pushing the WSA root certificate to all clients is via Group Policy in Active Directory. This will only affect IE, not other browsers such as FireFox, Opera, or Safari.

mac.til_ironport · ‎01-24-2009

But the problem is thhile downloading at some sites like microsoft are giving certificate error while downloading the update saying that 'certificate date and time are invaild'

jowolfer · ‎01-26-2009

Mac,

I'm not sure about Microsoft specifically, but there are many sites / applications that will verify that the certificate being presented is the 'original' certificate that the server was sending.

Decrypting the stream means that the WSA has to generate a new certificate on the fly and spoof the original values.

Intelligent software, such as iTunes, realizes that the certificate is not really from Apple and terminates the connection. In this case, there is nothing you can do except set these servers to "pass through" instead of decrypt.