Decryption Certificate
In order to decrypt, inspect and re-encrypt HTTPS certificates of the origin servers the application needs to be configured with Root Certification Authority certificate and private key (we will call it Decryption Certificate for short further).
The Certification Authority part in the certificate name means it is possible to sign other child site certificates with this given certificate, i.e. it can act as signing authority. The Root part means the certificate is self-signed and must be explicitly trusted by the client. See this Wikipedia article for more information.
Important / Danger
You are strongly advised to regenerate default root certificates that come with Web Safety to something more unique for your network. Default certificates are distributed with all installations of Web Safety and trusting them poses serious security risk for your network.
How to Generate Decryption Certificate
You must always generate your own certificate/private key. There are various methods to do that.
Using Admin UI / Automatically
In order to generate the new Decryption Certificate and its corresponding private key, open Admin UI / Squid Proxy / HTTPS menu and select the Root Certificate tab as indicated on the following screenshot.
Click on Generate New Certificate button and fill in the wizard form as desired, then click Generate Certificate button at the bottom of the page.
A new self-signed Decryption Certificate and private key will be generated and saved into /opt/websafety/etc/myca.pem
and /opt/websafety/etc/myca.der
files. See below for the description of what those files actually are and how they are used.
Using OpenSSL / Manually
You can also use the OpenSSL binary to generate the Decryption Certificate and its corresponding private key by running the following command on any Linux machine.
$ openssl req -new -newkey rsa:2048 -sha256 \
-days 3650 -nodes -x509 -keyout myca.pem -out myca.pem
The generated myca.pem now needs to be imported into the Admin UI / Squid Proxy / HTTPS / Root Certificate by clicking the Upload New Certificate button as indicated on the following screenshot.
Navigate to the myca.pem
file and click Upload. After that most important certificate properties will be visible on the Root Certificate tab.
Important
Your generated PEM file must contain both the private key and self-signed Decryption Certificate. The file usually has the -----BEGIN PRIVATE KEY-----
and -----BEGIN CERTIFICATE-----
sections. The application does some internal checks of this file and will refuse to upload the file with incorrect contents.
Re-use Decryption Certificate of Web Filtering Proxy
If you are also using our Microsoft Windows based Web Filtering Proxy application and already have trusted Decryption Certificate from it you can directly use it in Web Safety too. Just import the C:\ProgramData\Diladele\WebProxy\N.N\etc\myca.pem
file into the Admin UI as shown above.
Decryption Certificate Files Explained
The generated or imported certificate and private key of the Decryption Certificate are stored as myca.pem
and myca.der
files in /opt/websafety/etc/
folder.
myca.pem
This file contains both the Decryption Certificate and its corresponding private key in PEM format appended together. This file must be kept secret and should not be publicly available.
myca.der
This file contains the public part of the Decryption Certificate that needs to be installed in your browsers to make them trust the proxy. See the next article how to do that. This file is public in nature and can be freely redistributed.