Web Gateway: Deploying a trusted CA to your Clients

Version 4

    Introduction

    This guide discusses the process for deploying a certificate authority into your environment. This certificate authority is used by the Web Gateway to perform HTTPS Inspection for secure websites. The process of deploying a certificate authority in Web Gateway consists of two basic steps 1) generating the certificate authority (CA) and 2) establishing a trust between clients and the certificate authority. More information on Certificate Authorities themselves and their function can be found here (Web Gateway: Understanding "Client Context").

     

    NOTE: You MUST use a non-default Certificate Authority in production. The CA in place by default is the same one used on all MWGs. It is a major security risk to use the default CA!

     

    How do I replace my default Certificate Authority?

    There are many methods for getting a certificate authority, here are the recommended methods:

     

    Generating Via the McAfee Web Gateway

    This example shows how to generate a Certificate Authority via the McAfee Web Gateway.

     

    Follow along with the screenshots below the instructions

        1. Select "Policy"
        2. Select the "Settings" tab near the top left.
        3. Expand Engines>SSL Client Context With CA
        4. Select "Default CA"
        5. Select "Generate" and fill in the relevant fields then click OK.
        6. Select "Export" and save with a .cer extension.

     

     

     

    How do I import and trust the certificate authority in my browser?

     

    Internet Explorer/Chrome Automated Enterprise-Wide Import via GPO

    You can use Active Directory Group Policy Objects (GPO) to import certificates into your Internet Explorer certificate store. These instructions are for Server 2008.

    Use the below KB from Microsoft to assist in navigating to the GPO in your domain:

    http://technet.microsoft.com/en-us/library/cc781159(v=ws.10).aspx

     

    Note: Any application which does not use the Internet Explorer certificate store must have the certificate imported manually per user and client. GPO Imports only apply for applications using the IE certificate store.

     

    Once you have the GPO open that you wish to edit, continue to follow the instructions below:

      1. Navigate to Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
      2. Right-click Trusted Root Certificate Authorities and select Import.
      3. Complete the wizard to import the previously exported public Certificate Authority certificate.
      4. Exit the Group Policy Object Editor.
      5. Navigate to Start > Run > cmd.
      6. Type gpupdate /force at the command prompt. This refreshes the GPO.
      7. Log out and log back into the domain.
      8. Navigate to Start > MMC > Certificates.
      9. Expand the Trusted Root Certificate Authorities store. You should see the certificate.

    gpo.png

     

     

    Internet Explorer/Chrome Manual Import

    If unable to use GPO, follow instructions below for manually importing certificates into the Internet Explorer certificate store :

     

    Note: This process must be done per user and client. This also only works for applications which are using the Certificate Store.

     

      1. Open the "run" dialog window on whichever version of Windows you are using.
      2. Type "certmgr.msc" and click "OK"
      3. Right click "Trusted Root Certification Authorities" and hover over "All Tasks".
      4. Select "Import"
      5. On the Certificate Import Wizard welcome page, click Next.
      6. Click Browse and navigate to where you stored the WebProtectionCertificate.cer file.
      7. Click Next.
      8. Select Automatically select the certificate store based on the type of certificate.
      9. Click Next.
      10. Click Finish . A successful import message appears.
      11. Message indicating successful import should appear.
      12. Close all open windows.

    2013-09-12_172030.png

     

     

    Alternative Method for Internet Explorer

    You could also import the Certificate Authority manually by following these steps in Internet Explorer. Go to: Tools > Internet Options > Content  > Certificates - Click on the 'Trusted Root Certification Authorities' tab and press the Import button.

     

     

    Firefox Manual Import

    Since Firefox doesn't use the IE certificate store each user must manually import the MWG CA's public certificate into the FF certificate store. This limitation is by design of the Firefox browser and not specific to MWG. You can use a Firefox web browser to manually import a certificate.

     

    Note: This process must be done for each user and client. This also only works for Firefox.

     

      1. From the Tools menu, select Options.
      2. Click "Advanced".
      3. Click "Encryption".
      4. Click "View Certificates".
      5. Click "Import".
      6. Navigate to where you stored the WebProtectionCertificate.cer file.
      7. Select "Trust this CA to identify websites".
      8. Click "OK" and close all open windows.

     

    firefox.png

     

     

    Importing/Exporting a Certificate Authority on Mac OS 10.7

    Follow the link below for documentation on how to Import/Export on Mac OS 10.7

    http://www.digicert.com/ssl-support/p12-import-export-mac-server.htm

     

    Include Download Link on Blockpage

    Web Gateway can host the CA certificate on the block page, enabling users to install certificates themselves if needed. To host the certificate in the block pages we'll perform the following:

     

    1. Export the CA certificate, save it as "ssl_ca.crt" (it must have a file extension .crt, .cer, or .der)

     

    2. Upload the certificate to your template collection into a folder called "certs"

     

    3. Create the link to the certificate using the example below:

    <a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Clic k here to download</a>

     

    <!-- CA Cert Download -->

    <div id="caFooter" style="text-align:left;" >

    <a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Clic k here to download the CA Certificate.</a>

    </div>

    <!-- /CA Cert Download -->

     

    4. Put the link into your header/footer, or into specific templates:

     

    5. Implement a certificate check on the block page, which checks if the browser trusts the CA:

    Uses this image: icon_cacert.gif

     

    <!-- CA Cert Check -->

    <script>

    function caCert(){

    document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not installed. '

    document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/certs/ssl_ca.crt">Clic k here to download</a>'

    }

    </script>

    <div id="caFooter" style="text-align:left;" >

    <img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.

    </div>

    <!-- /CA Cert Check -->

     

    Conclusion

    By now you should understand what Certificate Authorities are used for and the process for importing them into your environment to work with the SSL Scanner.