Link Search Menu Expand Document

SSL for SaaS Tab

Configuration > Overlays & Security > SSL > SSL for SaaS

This tab lists the signed substitute certificates for the appliances.

To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.

To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA). There are two possible signers:

For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.

  • The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.

  • To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.

For a Custom CA Certificate, the signing authority is the Enterprise CA.

  • If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.

  • If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.

  • If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).

TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, click here.

SSL for SaaS Edit Row

To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.

To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA). There are two possible signers:

  • For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.

    • The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.

    • To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.

  • For a Custom CA Certificate, the signing authority is the Enterprise CA.

    • If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to the Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.

    • If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (via Configuration > Overlays & Security > SSL > SSL CA Certificates) so that the browser can validate up the chain to the root CA.

    • If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR). The workflow would basically follow this pattern:

      1. Click Generate Certificate Signing Request and complete the Certificate Information requested in the dialog box.

      2. Save the CSR and the Private Key.

      3. Submit the CSR to your enterprise CA to obtain a Subordinate CA Certificate.

      4. After approvals are complete and the subordinate CA is in hand, navigate to the Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page.

      5. Under Custom CA Certificate, click Upload and Replace to import the subordinate CA.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America