Create an ETP Proxy MITM certificate

ETP Proxy uses a MITM CA TLS certificate to generate and sign MITM origin certificates for HTTPS web sites that go through it. For enterprise devices to accept and trust these certificates, the trusted MITM CA root certificate needs to be deployed on enterprise devices.

You can use either an ​Akamai​ certificate or a non-​Akamai​ MITM CA TLS certificate:

  • If you use an ​Akamai​ certificate, ​Akamai​ generates and signs the certificate that you download and distribute to your client computers. See Create an ​Akamai​ certificate.

  • If your company already has a public key infrastructure (PKI) in place, generate an intermediate CA certificate that is signed by the company root CA, which is already trusted by the computers in your network. To do this, generate and download a certificate signing request (CSR) from ETP. Then, submit this signing request to your existing root CA and obtain the signed intermediate MITM CA certificate. Upload this signed intermediate MITM CA certificate to ETP in order to sign MITM certificates for the inspected origin web sites. See Create a non-​Akamai​ certificate.

For more information on the MITM certificate, see ETP Proxy MITM certificate.

📘

If you use pip and your organization has enabled ETP Proxy, make sure you also add the ETP Proxy TLS MITM certificate to the pip configuration file. In the pip.conf file, add this entry:

[global]
cert = /path/certificate.pem

where:

  • path is the path to the certificate

  • certificate is the name of the certificate

Create an ​Akamai​ certificate

A trusted root certificate is required on end-user devices for ETP Proxy to terminate TLS and act as MITM for content inspection. This procedure describes how to create a certificate that is signed by ​Akamai​. If your organization has a public key infrastructure in place and already uses a CA, see Create a non-​Akamai​ certificate.

You need to be an ETP super administrator to perform this procedure. You can download the certificate in base64 (.pem) or binary (.der) format.

To create an ​Akamai​ certificate:

  1. In the Threat Protection menu of Enterprise Center, select Certificates > Proxy Certificate.

  2. In the Certificate type area, select ​Akamai​ Certificate and click Continue to Next Step.

  3. Click Download Certificate and depending on the certificate format you want to download, select Base64 (.pem) or Binary (.der).

  4. Distribute the certificate as a Trusted Root CA to all devices in your network. To distribute certificates, you can use Windows Group Policy for devices that are joined by domain, mobile device managers for mobile devices, or other desktop management systems.

  5. After the certificate is distributed, click Confirm Distribution.

  6. Click Activate Certificate. A confirmation window appears.

  7. Click Activate. The certificate is now available for use.

Create a non-​Akamai​ certificate

An intermediate CA certificate is required for ETP Proxy to decrypt TLS and act as a trusted MITM for content inspection.

These steps describe how you create the intermediate certificate if your organization already has a public key infrastructure (PKI) and maintains an internal CA root certificate. This process involves an administrator downloading a CSR, signing the CSR with the internal CA, and uploading the signed certificate to ETP.

If your company does not have a PKI in place, you can generate a public certificate that is signed by ​Akamai​ and distribute it to network devices. For more information, see Create an ETP certificate.

You need to be an ETP super administrator to perform this procedure.

To create a non-​Akamai​ certificate:

  1. Generate a certificate signing request

  2. Sign the request with your CA. If you are using OpenSSL or Microsoft Certificate Services to issue and manage certificates, see the corresponding procedure:

  3. Upload and deploy signed certificate to ETP

Generate a certificate signing request

To generate a CSR for a non-​Akamai​ certificate:

  1. In the Threat Protection menu of Enterprise Center, select Certificates > Proxy Certificate.

  2. In the Certificate type area, select Non-​Akamai​ Certificate, and click Continue to Next Step. The certificate signing request generates.

  3. Click Download CSR and depending on the certificate format you want to request, select Base64 (.pem) or Binary (.der).

  4. Save the CSR to a secure and accessible location.

Next Steps
Sign the CSR with your CA. Make sure that you generate a subordinate certificate in the format you selected for the request. ETP allows you to upload certificates in .pem or .der format.

If you are using OpenSSL or Microsoft Certificate Services to sign and manage certificates, see the corresponding procedure:

Sign the CSR with OpenSSL

Before you begin

  • Generate a certificate signing request

  • In the openssl.cnf file, make sure the [ v3_ca ] section of the file includes this field and value:

    basicConstraints = CA:TRUE

    This value indicates that the certificate is a CA.

To sign the CSR that you generated in ETP with OpenSSL:

Note that your CA needs to be configured with an OpenSSL configuration file and include a generated public certificate and private key pair for CA operations.

  1. On the CA system that contains OpenSSL, open a command line interface and go to the location where CA certificates are located.

  2. To generate a private key, enter this command:

    openssl genrsa -out <CA_private_key>.key 2048

    where <CA_private_key> is the name of the private key.

  3. To generate a public certificate that is used to sign the CSR, enter this command:

    openssl req -new -x509 -days 10000 -key <CA_private_key>.key -out <CA_public>.crt

    where:

    • <CA_private_key> is the name of your private key.

    • <CA_public> is the name of the CA's public certificate.

  4. Enter this command to sign the CSR and generate a signed certificate:

     openssl x509 -req -in <ETP_CSR> -days 365 -CA <CA_public> -CAkey <CA_private_key>.pem -set_serial 
     <#> -out <filename>.crt -extfile /<path>/<path>/openssl.cnf -extensions v3_ca
    

    where:

    • <ETP_CSR> is the certificate signing request you generated in ETP.

    • <CA_public> is the CA's public certificate.

    • <CA_private_key> is the CA's private key.

    • <#> is the serial number that you set for the generated self-signed certificate. You can use a decimal number (1, 2, 3, and so on).

    • <filename> is the file name that you want to assign to the certificate.

    • <path> is the path to the openssl.cnf file.

    The CA creates a certificate and signs it with the private key.

  5. Open the certificate and copy the contents of the certificate.

Next steps

Upload and deploy signed certificate to ETP

Sign the CSR with Microsoft Certificate Services

Before you begin

  1. Generate a certificate signing request

  2. Open the CSR that you generated in ETP and copy the contents of the CSR.

If your organization uses Microsoft Certificate Services to issue, revoke, or renew certificates, complete this procedure to sign the CSR you generated in ETP.

This procedure signs the request as a subordinate or intermediate CA.

Graphical user interface

To sign the CSR with the graphical user interface:

  1. Open a browser and go to the IP address of the Microsoft certificate server.

  2. Click Request a certificate.

  3. On the Request a certificate page, click advanced certificate request.

  4. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

  5. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR file you downloaded from ETP.

  6. In the Certificate Template list, select Subordinate Certificate Authority.

  7. Click Submit.

  8. On the Certificate Issued page, select Base 64 encoded.

  9. Click Download certificate and save the certificate to a secure location.

Next steps

Upload the signed certificate to ETP. See Upload and deploy signed certificate to ETP.

Command line interface

To sign the CSR with the command line:

  1. On the Microsoft certificate server, open a command prompt and run it as an administrator.

  2. Enter this command:

    certreq -submit -attrib "CertificateTemplate:SubCA" <certificateSigningRequest.csr>
    

    where <certificateSigningRequest.csr> is the certificate signing request you generated in ETP.

    The Certification Authority List dialog appears.

  3. Select the CA that you want to sign the request and click OK.

  4. Save the certificate as a .der file.

Next steps

Upload the signed certificate to ETP. See Upload and deploy signed certificate to ETP.

Upload and deploy signed certificate to ETP

Complete this procedure to upload the signed certificate to ETP. Uploaded certificates need to be in .pem format. As part of this process, you need to also distribute the certificate to your organization's trust store or TLS clients in your network.

You need to be an ETP super administrator to perform this procedure.

To upload and deploy a signed certificate:

  1. In the Threat Protection menu of Enterprise Center, select Certificates > Proxy Certificate.

  2. Click Upload Certificate.

  3. Upload the .der or .pem certificate that you generated.

  4. In the Upload Certificates window, paste the contents of the certificate and click Upload.

  5. If the subordinate or intermediate certificate is not distributed to workstations or TLS clients in your network, provide the certificate to an IT administrator who can distribute the certificate to the trust store or TLS clients in your network. For more information, see Distribute the ETP Proxy certificate.

  6. Click Activate Certificate. A confirmation window appears.

  7. Click Activate. The certificate is now available for use.


Did this page help you?