Configuring the signing authority and trusted authorities
Follow this procedure only if you have chosen filtering WITH SSL traffic decryption.
The SSL proxy signs fake certificates by default with the SSL proxy default authority already found on the firewall. Modify the signing authority if the default configuration is not suitable.
Likewise, you can customize the list of authorities or trusted certificates.
- Log on to the web administration interface.
- In the module Configuration > Application protection > Protocols, select the SSL protocol, then click on Go to global configuration.
- In the Proxy tab, under Generate certificates to emulate the SSL server, specify the signing CA, its password and lifetime.
- In the Customized certificate authorities tab, add the private authorities that you wish to trust.
- In the Public certificate authorities tab, enable or disable the trusted authorities where necessary. The SSL proxy checks whether the remote server's certificate has been signed by a public or private trusted authority. The list of public authorities is automatically updated by the firewall's Active Update module.
- In the Trusted certificates tab, add the certificates of servers that you wish to trust.
- Click on Apply.