How to roll out a Certificate Authority trust

Version 2

     

     

    Introduction

     

     

    This guide discusses the process for implementing a non default certificate authority into your environment. This certificate authority is used by the SSL Scanner on the MWG to generate the certificates used by the SSL Scanning feature. The process of deploying a certificate authority in Web Gateway consists of two basic steps (1) generating the authority and (2) then establishing a trust between clients and the certificate authority. More information on Certificate Authorities themselves and their function can be found here(https://community.mcafee.com/docs/DOC-4822)

     

    NOTE: You MUST use a non-default Certificate Authority in production. The CA in place by default is the same one used on all MWGs. It is a major security risk to use the default CA!

     

    How do I replace my default Certificate Authority?

     

    There are many methods for getting a certificate authority, here are the recommended methods:

     

     

    Generating Via the McAfee Web Gateway

     

    This example shows how to generate a Certificate Authority via the McAfee Web Gateway.

     

    Follow along with the screenshots below the instructions

     

        1. Select "Policy"
        2. Select the "Settings" tab near the top left.
        3. Expand Engines>SSL Client Context With CA
        4. Select "Default CA"
        5. Select "Generate" and fill in the relevant fields then click OK.
        6. Select "Export" and save with a .cer extension.

     

    gencert1.png

     

     

    How do I import and trust the certificate authority in my browser?

     

     

     

     

    Internet Explorer/Chrome Automated Enterprise-Wide Import via GPO

     

     

    You can use Active Directory Group Policy Objects (GPO) to import certificates into your Internet Explorer certificate store. These instructions are for Server 2008.

    Use the below KB from Microsoft to assist in navigating to the GPO in your domain:

    http://technet.microsoft.com/en-us/library/cc781159(v=ws.10).aspx

    Note: Any application which does not use the Internet Explorer certificate store must have the certificate imported manually per user and client. GPO Imports only apply for applications using the IE certificate store.

     

    Once you have the GPO open that you wish to edit, continue to follow the instructions below:

        1. Navigate to Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
        2. Right-click Trusted Root Certificate Authorities and select Import.
        3. Complete the wizard to import the previously exported public Certificate Authority certificate.
        4. Exit the Group Policy Object Editor.
        5. Navigate to Start > Run > cmd.
        6. Type gpupdate /force at the command prompt. This refreshes the GPO.
        7. Log out and log back into the domain.
        8. Navigate to Start > MMC > Certificates.
        9. Expand the Trusted Root Certificate Authorities store. You should see the certificate.

     

     

    gpo.png

    Internet Explorer/Chrome Manual Import

     

    If unable to use GPO, follow instructions below for manually importing certificates into the Internet Explorer certificate store :

     

    Note: This process must be done per user and client. This also only works for applications which are using the Certificate Store.

     

        1. Open the "run" dialog window on whichever version of Windows you are using.
        2. Type "certmgr.msc" and click "OK"
        3. Right click "Trusted Root Certification Authorities" and hover over "All Tasks".
        4. Select "Import"
        5. On the Certificate Import Wizard welcome page, click Next.
        6. Click Browse and navigate to where you stored the WebProtectionCertificate.cer file.
        7. Click Next.
        8. Select Automatically select the certificate store based on the type of certificate.
        9. Click Next.
        10. Click Finish . A successful import message appears.
        11. Message indicating successful import should appear.
        12. Close all open windows.

     

    2013-09-12_172030.png

     

     

     

     

    Alternative Method for Internet Explorer

     

    You could also import the Certificate Authority manually by following these steps in Internet Explorer. Go to: Tools > Internet Options > Content  > Certificates - Click on the 'Trusted Root Certification Authorities' tab and press the Import button.

     

    cert1.png

    Firefox Manual Import


     

    Since Firefox doesn't use the IE certificate store each user must manually import the MWG CA's public certificate into the FF certificate store. This limitation is by design of the Firefox browser and not specific to MWG. You can use a Firefox web browser to manually import a certificate.

     

    Note: This process must be done for each user and client. This also only works for Firefox.

     

        1. From the Tools menu, select Options.
        2. Click "Advanced".
        3. Click "Encryption".
        4. Click "View Certificates".
        5. Click "Import".
        6. Navigate to where you stored the WebProtectionCertificate.cer file.
        7. Select "Trust this CA to identify websites".
        8. Click "OK" and close all open windows.

     

    firefox.png

     

    Importing/Exporting a Certificate Authority on Mac OS 10.7

     

    Follow the link below for documentation on how to Import/Export on Mac OS 10.7

    http://www.digicert.com/ssl-support/p12-import-export-mac-server.htm

     

    Conclusion

     

    By now you should understand what Certificate Authorities are used for and the process for importing them into your environment to work with the SSL Scanner.