SSL for SaaS Tab
SSL配置>覆盖&安全> > SSL for SaaS
This report lists the signed substitute certificates for the appliances.
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA). There are two possible signers:
For aBuilt-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
For aCustom CA Certificate, the signing authority is the Enterprise CA.
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
If this substitute certificate is subordinate to a root CA certificate, also install the higher-levelSSL CA certificates(into theSSL CA Certificatestemplate) so that the browser can validate up the chain to the root CA.
If youdo notalready have a subordinate CA certificate, you can access any appliance’sConfiguration > Templates & Policies > Applications & SaaS > SaaS Optimizationpage and generate a Certificate Signing Request (CSR).
TIP:For a historical matrix of EdgeConnect and Orchestrator security algorithms, clickhere.
为SaaS编辑行SSL
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA). There are two possible signers:
For a Built-In CA Certificate, the signing authority is Silver Peak.
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
For a Custom CA Certificate, the signing authority is the Enterprise CA.
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to the Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
If this substitute certificate is subordinate to a root CA certificate, also install the higher-levelSSL CA certificates(viaConfiguration > Overlays & Security > SSL > SSL CA Certificates) so that the browser can validate up the chain to the root CA.
If youdo notalready have a subordinate CA certificate, you can access any appliance’sConfiguration > Templates & Policies > Applications & SaaS > SaaS Optimizationpage and generate a Certificate Signing Request (CSR). The workflow would basically follow this pattern:
ClickGenerate Certificate Signing Requestand complete the Certificate Information requested in the dialog box.
Save the CSR and the Private Key.
Submit the CSR to your enterprise CA to obtain a Subordinate CA Certificate.
After approvals are complete and the subordinate CA is in hand, navigate to theConfiguration > Templates & Policies > Applications & SaaS > SaaS Optimizationpage.
UnderCustom CA Certificate, clickUpload and Replaceto import the subordinate CA.