Configuring and Using the SCC as a Certificate Authority Service
You can enable a certificate authority (CA) service in SCC. You can configure the SCC CA as a private root CA or an intermediate CA that is trusted within your organization. The SCC CA service enables you to issue the following certificates to SteelHeads:
• Secure peering certificates
• Proxy certificates for SSL acceleration (SCC 9.5 and later)
• Web proxy certificates for HTTPS traffic proxy.
As a SteelHead deployment size increases, independently managing certificates for secure protocol acceleration and HTTPS web proxy can be a daunting and time-consuming task. The SCC CA service offers you a method to simplify, streamline and automate this task from a central console. Using the SCC CA service, you would be able to:
• Easily manage and issue secure peering certificates to SteelHeads.
• Simplify the task of configuring secure peering trust relationships between SteelHeads for secure protocol acceleration.
When you replace the secure peering certificate on a SteelHead with one issued by the SCC CA, and use the SCC to configure the secure peering trust relationship, the SCC CA is configured as a trusted entity on the SteelHead. This allows the SteelHead to automatically trust all peers that have a secure peering certificate issued by the same SCC CA, and eliminates the need to configure the secure peering trust by trusting a SteelHead peer one at a time
• Automate the issue of proxy certificates for SSL acceleration.
• Automate the issue of web proxy certificates for HTTPS traffic proxy.
• Increase operational efficiency by centrally managing and issuing certificates for secure protocol acceleration and HTTPS web proxy.
You can't submit a Certificate Signing Request (CSR) to have a certificate signed by the SCC CA through the SCC Management Console. The SCC CA can only be used to issue certificates and implicitly signs all certificates that it issues. Using and trusting only CA-signed certificates increases the security of your SteelHead installation.
To enable the SCC CA service
If you’re using the SCC CA as an intermediate CA, import the root CA certificate into the Trusted CA Store. The Trusted CA Store is used only by the SCC CA service for the purpose of certificate chaining to establish itself as an intermediate CA.
Many any vendors are phasing out the support of SHA-1 certificates and it is recommended that you do so as well. A cipher bits of 2048 or higher setting is also recommended.
You can only enable the SCC CA service as an intermediate CA starting from SCC 9.5 and later.
You can also import the entire certificate chain through the SCC CA service. The intermediate CA certificate must be the first certificate in the chain. The root CA certificate will not be automatically installed into the Trusted CA Store.
1. From the Management Console, choose Administration > Security: Certificate Authority.
2. Select Enable/disable the certificate authority and click Apply.
3. If you’re using the SCC CA as a root CA, generate the root CA certificate using the next step.
4. Select Generate New Private Key and Self-Signed Public Certificate.
5. To import the root CA into the Trusted CA Store choose Administration > Security: Trusted CA Store.
6. Next, import the intermediate CA certificate and private key in PEM format into the SCC CA service.
7. To import the intermediate CA and private key, choose Administration > Security: Certificate Authority and click Replace.
To use the SCC CA service to issue a secure peering certificate
1. From the Management Console, choose Manage > Topology: Appliances.
2. Select Appliance Operations.
3. Select Replace (Generate) Peering Certificates from the drop-down menu.
4. Specify the certificate details.
5. Select the appliance in which you want to replace the secure peering certificate and click Replace.
The secure peering certificate on the SteelHead is not replaced until a Push operation is completed.
6. Select Push Policies from the drop-down menu.
7. Select the same appliance and click Push.
8. From the Management Console, choose Manage > Operations: Operations History to verify that the operations are successful.
9. From the Management Console, choose Administration > Security: Certificate Authority to view the peering certificate issued by the SCC CA.
10. From the Management Console, verify that the secure peering certificate has been replaced.
The SCC CA is automatically configured as a Trusted Entity only when an SCC secure peering policy is pushed to a SteelHead. The policy must include a peer SteelHead that has a secure peering certificate issued by the SCC CA.
For more information about SSL, see the SteelHead Deployment Guide - Protocols.
To use SCC to configure secure peering relationships
1. From the Management Console, choose Manage > Services: Policies.
2. Select Add Policy and specify a policy name.
3. Click Add.
4. Select Add/Remove Pages.
5. Select Secure Peering (SSL) in the Add/Remove Policy Pages and click Apply.
6. Edit the Secure Peering (SSL) policy to configure a Trusted Peer SteelHead and click Update.
7. Ensure that this policy page is included in the policy push.
8. Click Apply.
9. Choose Manage > Topology: Appliances to associate the policy with the SteelHead.
10. From the Appliance Operation page, select Push Policies from the drop-down menu, and push the policy to the SteelHead.
11. Choose Manage > Operations: Operations History to verify that the operation is successful.
12. Verify from the SteelHead that the SCC CA is configured as a Trusted Entity.
This SCC CA is configured as a Trusted Entity on the SteelHead only if the peer SteelHead has a secure peering certificate that’s issued by the SCC CA.
We recommend that you maintain a uniform and consistent operational policy by using only one type of secure peering certificates across all your SteelHeads.