SSL for SaaS Tab
Configuration > Overlays & Security > SSL > SSL for SaaS
This tab lists the signed substitute certificates for the appliances.
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA). There are two possible signers:
For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.
-
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
-
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
For a Custom CA Certificate, the signing authority is the Enterprise CA.
-
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
-
If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.
-
If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.
SSL for SaaS Edit Row
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA). There are two possible signers:
-
For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.
-
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
-
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
-
-
For a Custom CA Certificate, the signing authority is the Enterprise CA.
-
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to the Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
-
If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (via Configuration > Overlays & Security > SSL > SSL CA Certificates) so that the browser can validate up the chain to the root CA.
-
If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR). The workflow would basically follow this pattern:
-
Click Generate Certificate Signing Request and complete the Certificate Information requested in the dialog box.
-
Save the CSR and the Private Key.
-
Submit the CSR to your enterprise CA to obtain a Subordinate CA Certificate.
-
After approvals are complete and the subordinate CA is in hand, navigate to the Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page.
-
Under Custom CA Certificate, click Upload and Replace to import the subordinate CA.
-
-