Open with table of contents

Creating a Certificate Authority certificate

To create a Certificate Authority certificateClosedA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked.:

  1. Follow the instructions in Configuring SSH Access to enable SSH access.
  2. SSH onto the Web Gateway and become root.
  3. Create a copy of the openssl.cnf file:
    cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.orig
  4. Edit the openssl.cnf file to set the number of days to certify using the following command:
    vi /etc/pki/tls/openssl.cnf
  5. Look for default_days and set this value (by default, this is 365).
  6. Find the section [ v3_ca ] and add the line keyUsage = keyCertSign.
  7. Run /etc/pki/tls/misc/CA -newca.
  8. Press Enter to accept the default filename.
  9. Enter the pass phrase and confirm it.
  10. Enter all the details requested. For example:
    Country code: GB, State or Province: Berkshire, Locality Name: Theale, Organization Name: Clearswift, Organizational Name: Engineering, Common Name: CA for Clearswift Web Gateway, Email Address: xxxx@Clearswift.Com
    'Extra' attributes can be added, otherwise enter carriage return for each.
  11. Enter the same pass phrase you used in step 8.
  12. Using FTP, copy the files cacert.pem and cakey.pem off the gateway.
    The CA certificate (cacert.pem) can be found in the folder /etc/pki/CA. The Private Key (ca.key) can be found at /etc/pki/CA/private.
  13. Edit the cacert.pem file and delete all the lines prior to the line that starts ----BEGIN CERTIFICATE----
  14. The cacert.pem (certificate) and cakey.pem (private keyClosedThe secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected.) can now be imported into the gateway.

Certificate caching

The Web Gateway dynamically generates a certificate for connecting clients. A certificate is generated for each site that is visited. Before a certificate is generated, the Web Gateway checks the cache to ensure that a certificate has not been already generated for this site. To configure the maximum number of certificates:

  1. Open the certCache.properties.template file (located at /opt/cs-gateway/websettings/certCache.properties.template).
  2. Edit the maxCacheSize property. This value defaults to 100,000.
    3.  

    If the maximum size is reached, certificates for new sites are not cached and a line is written to the Decryption log once per day to warn you of this.
  3. After changing any configuration settings in the certCache.properties.template file, the configuration needs to be applied in the UI and you must restart the proxy manually.

Cache reset

By default, the cache contents are reset at midnight. If this fails, an alarm is raised and can be viewed in the Logs & Alarms page. It is important that the cache is reset, as generated certificates are short-lived and expire after 7 days.

© 1995–2018 Clearswift Ltd.