Generate Customized Master Certificates

Network Implementation Guide › Decoding SSL Communications › Setting Up SSL Decode › Customize the Master Certificate › Generate Customized Master Certificates

Generate Customized Master Certificates

Before you distribute the NBA master certificates to your clients, you must customize the certificate details. Do one of the following to customize and regenerate NBA master certificates.

To change the master certificate using the NBA console

(Available for Bivio 7000 appliances only)

Log on to the NBA console and go to the SSL tab.
Click the Master Certificates option.
Change the Common name, Organization, Locality, Province and Country settings as required.
The Common Name is the most important because this name is usually presented as the signing root authority when a user checks their SSL connection. They do this by clicking the padlock icon in the address bar of their browser.

Use your organization's name as the Common Name to make the origin of the certificate clear. You may also want to add a note explaining the purpose of the certificate.
Click Generate.
The console displays a warning that the new public certificate and private key pairs will become active immediately and overwrite the current public certificate and private key pairs.
Type ‘confirm’ in the input box and click Generate.
The NBA generates the Trusted certificate and Revoked certificate and saves them on the Network appliance. (The Revoked certificate is optional.)

To change the master certificate using FTP

Using FTP, browse to the /config folder on the NBA appliance.
Edit nbaconfig.xml and change the following lines:
```
<commonname type="stringType" value="CA DLP Network"/>
<organizationname type="stringType" value="CA Technologies"/>
<localityname type="stringType" value="Islandia"/>
<provincename type="stringType" value="NY"/>
<countryname type="stringType" value="US"/>
```
The <commonname> is the most important setting because this name is usually presented as the signing root authority when a user checks their SSL connection. They do this by clicking the padlock icon in the address bar of their browser.

Use your organization's name as the Common Name to make the origin of the certificate clear. You may also want to add a note explaining the purpose of the certificate.
Log on to the NBA console using SSH.
Run this command to prepare the NBA command environment:
```
. /usr/local/share/nba/nbarc
```
Note: Do not omit the space between the period and the first slash.
Change into the NBA executable directory:
```
cd /home/nba/bin
```

Run this command to generate the new master certificate:

./nbacmd SSL_GENERATE

This generates the following output:

2010/12/23 11:26:43.963997 CMD: SSL certificate regeneration completed.

Using FTP, browse to the /config folder on the NBA appliance.
The nbaroot.p7b (trusted) and nbarevoked.p7b (untrusted) certificates are available for download.

Back up the Private Key

The private key of the NBA’s master certificate (used by clients to verify each SSL connection) is stored on disk on the NBA appliance. You must copy the private key for backup purposes. You must also copy the private key if the same certificate details are needed on multiple NBA appliances in a failover or load sharing configuration.

Note: Backing up the /config folder only protects the NBA configuration settings. It does not back up the private key.

To copy the private key

Log on as root to the NBA console using SSH.
Go to the private key directory. To do this, run this command:
```
cd /home/nba/bin/private
```
This folder contains the following files:

nbaroot.crt

Public key in base64 X509 format

root.pem

Private key

nbarevoked.crt

Public key in base64 X509 format

revoked.pem

Private key
Copy the complete /private folder, including these files, from the configured CA DLP Network appliance to the unconfigured appliances.
Copy the complete /home/smb/config folder, including all subfolders and files, from the configured CA DLP Network appliance to the unconfigured appliances in order to fully replicate your configuration.
Reboot the unconfigured appliances.

Distribute Certficates

The NBA master certificates that the NBA uses to sign server certificates must be available for the client application to use.

The client application is usually a browser running on a user's computer. You therefore need to download and distribute the master certificates to all computers in your organization for which you want the ability to decrypt SSL communications.

In most cases, the browser used is Internet Explorer. You can update the certificate store for Internet Explorer using Windows Group Policy. Other browsers and applications have their own certificate stores, so you must identify and update those stores before you enable SSL decoding.

Important: You must distribute the master certificate! If you do not, client applications may fail to make SSL connections because they will be unable to validate the certificate returned by CA DLP Network.

Download the Master Certificates

To export the master certificate using the NBA console

Log on to the NBA console and go to the SSL tab.
Click the Master Certificates option.
Go to CA DLP Network Root Certificate Download section.
Click Export to download the certificate you want.
You can separately download the Trusted and Revoked certificates.
Choose Save in the File Download dialog and specify the target folder for the downloaded certificate.

To export the master certificate using FTP

Using FTP, browse to the /config folder on the NBA appliance.
The nbaroot.p7b (trusted) and nbarevoked.p7b (untrusted) certificates are available for download.
Copy the certificates to your preferred location.

Install the Master Certificates

To install a certificate for Internet Explorer using Group Policy

The actual steps vary, depending on your operating system. In summary, you must:

Assign a new Public Key Policy to your domain.
Import the NBA master certificate that you downloaded from the NBA appliance into Trusted Root Certification Authorities.

To install a certificate for Firefox

Locate the nbaroot.p7b file that you downloaded from the NBA appliance.
This file contains the trusted NBA master certificate.
Export the file as a 'Base-64 encoded X.509 (.CER)' certificate.
Import the file into Firefox.
From the Tools menu, choose Options, Advanced, Encryption, View Certificates, Authorities, Import.
Choose 'Trust this CA to identify web sites.'

Manage the Root Certificates

The NBA holds a set of well-known root certificate authority certificates that permit the NBA to validate connections to target websites. However, certificate authorities sometimes withdraw certificates and issue new ones, so you must keep the set of root certificates up to date on the NBA appliance. You may need to add or remove certificates from this set and if any public certificates are revoked, you must add them to the NBA’s revocation list.

Status information for all the certificate files is recorded in two log files on the NBA:

sslcertstatus.txt records the status of certificates being used by the NBA's SSL decoder.
console_sslcertstatus.txt records the status of certificates listed in the NBA console.

There are two methods for updating the certificate lists.

To manage root certificates using the NBA console

(For Bivio 7000 appliances only)

Log in to the NBA console and go to the SSL tab.
Click the Root Certificates option.
You can add, remove or download trusted root certificates and revoked root certificates. Do one of the following:

Add new certificates.

Click Import to add new certificates.

Then browse to the file containing the certificates that you want the SSL decoder to use. A certificate file can contain multiple certificates.

Finally, click Import to add the selected file.

Remove one or more certificates.

Click Delete.

Then hold the Ctrl key down while selecting one or more certificates to remove.

Finally, click Delete to remove the selected certificates.

Download a certificate file

Click Export to download a file containing all certificates in the list.

You can import this file onto another NBA to keep the certificate sets identical on multiple NBA appliances.

Reset the certificate list

Click Reset to remove all current certificates and replace them with the certificates delivered on installation.

To manage root certificates using FTP

Using FTP, browse to the NBA /config/rootcerts folder.
Add, remove, or copy the certificate files to maintain the set.
To make the NBA use the modified set of certificates in this folder:
1. Log on to the NBA console using SSH.
2. Prepare the NBA command environment with this command:
```
. /usr/local/share/nba/nbarc
```
  Note: Do not omit the space between the period and the first slash.
3. Change into the NBA executable directory:
```
cd /home/nba/bin
```
4. Update the NBA SSL Decode configuration with this command:
```
./nbacmd SSL_UPDATE
```
5. The following output confirms successful operation:
```
2010/11/26 15:55:32.653788 nbaSendEvent: Event system connected
2010/11/26 15:55:37.679308 CMD: SSL certificate regeneration completed.
OK
```

Root Certificate Formats

Certificates are downloaded in .p7b format, which allows multiple certificates to be handled in one file using the Microsoft Windows MMC Certificates plug-in. When uploading certificates to the Network appliance, use this format or alternatively use .cer/.crt/.key/.pem files, which are either base-64 or DER encoded.

Certificate revocation lists (.crl files) are downloaded as a gzipped tar file (.tar.gz). When uploading certificate revocation lists to the Network appliance, you must upload each .crl file individually. The revocation lists may be either base-64 or DER encoded and contained in .crl or .pem files.

Activate the Decoder

The SSL decoder is a module within the NBA that decrypts intercepted SSL traffic and then re-encrypts the communication when policy processing is complete. For the SSL decoder to operate, the NBA must be online and in active mode, and network filters in the NBA policy must be set up for packet decryption.

Before you enable SSL decoding

Verify that master certificates from the NBA SSL decoder are distributed to all clients where you want to decode network traffic.
Use Group Policy or your preferred client administration tool to install the master certificates.
Review the SSL network traffic that you expect to see on the network segment of the NBA.
The NBA must be configured with details of sessions to include or exclude from decoding. For example, some instant messaging clients cannot be configured to accept the NBA master certificate, so they cannot be decoded and must be excluded.

Activating the SSL decoder

For the SSL decoder to operate, bring the NBA online and verify that it is in active mode:

Install the NBA physically inline between the corporate LAN and the Internet.
Switch on Packet Processing.
Switch on Stream Blocking.
Configure network filters in the NBA policy to enable packet decryption for selected IP addresses, or port numbers, or both. The NBA policy contains a preconfigured network filter to start the SSL decode of HTTPS traffic. The filter is named "Default SSL decryption".
To enable SSL decode, do one of the following:

Enable SSL decode using the web UI

Select the 'Filters' tab and browse to the 'Network (packet) filters' section.
Select the Enable checkbox for the "Default SSL decryption" filter.
Click 'Apply'.
The NBA reloads the policy and activates the network filter.

Enable SSL decode using FTP

Edit the file /config/nbapolicy.xml

In the <networkfilter enabled="false"> line, change false to true:

<networkfilter enabled="true">
    <filtername type="stringType" value="Default SSL decryption"/>
    <ipaddrlist type="stringListType">
        <element value=":80"/>
        <element value=":443"/>
    </ipaddrlist>
    <protocols type="stringListType">
        <element value="tcp"/>
    </protocols>
    <action type="simpleEnumStreamBlock" value="decrypt"/>
    <loglevel type="simpleEnumLogLevel" value="error"/>
</networkfilter>

Save the file.
The NBA reloads the policy and activates the network filter.

More information:

Set the NBA Online or Offline

Active (Inline) Mode

Email CA Technologies about this topic