Install a subordinate certificate authority (CA) for HTTPS inspection
Create and install a subordinate CA so that you can use one certificate across all your XG Firewall appliances for SSL/TLS scanning.
Introduction
You can use your own certificate with both the DPI engine and when using XG Firewall as a direct web proxy. The configuration steps are as follows:
- Generate a certificate signing request (CSR).
- Sign the CSR.
- Convert the signed CA.
- Upload the signed CA to XG Firewall.
- Upload the root CA to XG Firewall.
- Configure the HTTPS scanning CA when using the DPI engine.
- Configure the HTTPS scanning CA when using XG Firewall as a direct web proxy.
- Confirm the new certificate is used for web traffic.
Generate a certificate signing request (CSR)
When you send the CSR to a certificate authority, the CA will issue a certificate based on these details.
Sign the CSR
You need to create a new certificate that is signed by your root CA certificate.
Upload the signed CA to XG Firewall
You need to upload the signed CA to XG Firewall to use it for HTTPS scanning.
Upload the root CA to XG Firewall
To use the recently uploaded signed CA, you must also add its root CA to XG Firewall.
Configure the HTTPS scanning CA when using the DPI engine
You need to configure HTTPS decryption and scanning to use your recently signed CA.