NetScaler as SSL Forward Proxy

[Zoran Milenkovic1709152502]

Hi

 

Is there anybody out there to recommend some good implemetation guide for Cache Redirection?

 

I would like to setup NetScaler as SSL forward proxy where NetScaler will do SSL interception. What kind of SSL certificate should one need to set this up? Clearly, no one would like a proxy that gives your users security warings and red address field.

 

The idea behind interception is possibility to see what is happening inside the HTTPS traffic and filter out some HTTP methods like CONNECT or POST.

 

Thank you in advance!

 

Best Regards, Zoran

[Darius Cekanauskas]

Hi,

 

Have you found a solution for that ?

[Paul Blitz]

All you need for any public-facing SSL service is a trusted SSL certificate. There are many places that can do this, Thawte, Verisign, GoDaddy are 3 that come to mind.

 

Use Netscaler to create the SSL Key and Certificate Request. Ask for an "apache" style cert (also called "base 64", PEM etc)

[Zoran Milenkovic1709152502]

No, @Darius Cekanauskas, I haven't checked is there any new features in NS 11. But when I was checking it on 10.5, forward SSL proxy with SSL interception, it was NOT possible.

 

@Paul Blitz, are you sure that plain Web Server SSL certificate can be used for re-signing of certificates? Do you have any real life examples on it?

 

BR Zoran

[Paul Blitz]

Sorry, I think we all misunderstood the question.

 

"SSL Forward Proxy" seems to be an F5 thing (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html) , and I think you are correct, Netscaler can't easily do this

 

[Kirt Carson]

Finally figured it out.  You need to add:

Basic Constraints SubjectType=CA

Key Usage Certificate Signing, Off-line CRL Signing, CRL Signing (06)

 

You must add this within the wizard for SSL Forward Proxy SSL Intercept and clicking Add to create a SSL interception CA key-pair.  You'll get an error Not CA cert without Basic Constraint.