Configuring SSL optimization
SSL optimization is required for SaaS acceleration, and you need to generate a certificate authority (CA) certificate before you can configure applications for SaaS acceleration.
SAM uses the CA certificate to automatically generate proxy certificates, which SAM pushes to the SaaS service cluster. Your client systems must establish a trust relationship with the proxy certificates.
You can configure two types of CA certificates:
• Riverbed managed—Use the Riverbed-managed CA to generate a root certificate authority (RCA) certificate. You must download or copy the certificate and deploy it to the Trusted Root Certification Authorities certificate store on your client systems. After the RCA certificate is deployed, the RCA then automatically generates trusted certificates to sign optimized TLS/SSL traffic.
This is the default configuration.
• Customer managed—Use SAM to generate a certificate signing request (CSR), which you use to obtain an intermediate certificate authority (ICA) certificate. After the ICA is signed by your organization’s CA, upload it to SAM. Your client systems should already have an established trust relationship with your CA.
We recommend this configuration if your organization has its own internal CA.
SAM users with read-only permissions are not allowed to generate certificates or configure SaaS acceleration.
Only one certificate can be active at any given time. If you have multiple certificates, however, you can switch between them.
To generate an RCA certificate using the Riverbed-managed CA
1. Choose Configure > SaaS Apps: SSL Optimization and select the Certificate Authority tab.
2. Select the Riverbed Managed tab and then click Generate Root CA.
3. Provide the following information.
Field | Description |
Common name | Specify a common name for the root CA certificate. |
Organization | Optionally, specify the organization name (for example, the company). |
Organizational unit | Optionally, specify the organizational unit name (for example, the section or department). |
Locality | Optionally, specify the city. |
State | Optionally, specify the state. |
Country | Optionally, specify the country (2-letter code only). |
Email address | Optionally, specify the email address of the contact person. |
RSA cipher bits | Select the key length from the drop-down list. The default value is 2048. |
Validity period (RCA only) | Specify how many days the root CA certificate is valid. The default value is 730 days (two years). |
4. Click Submit.
SAM creates the root CA certificate.
If there are no active certificates, then it automatically becomes the active certificate. If you want to switch from one certificate to another, see
To change certificates.
5. Copy or download the root CA certificate from SAM and install it in end-user client systems.
An active root certificate authority (RCA) enables clients to accelerate SaaS traffic when SaaS applications are configured on the SaaS Accelerator page. The root CA certificate needs to be deployed into the Trusted Root Certification Authority certificate store on your clients and then your clients can automatically use certificates issued by this trusted root CA to accelerate encrypted SaaS traffic.
To generate an ICA certificate using your organization’s CA
1. Choose Configure > SaaS Apps: SSL Optimization and select the Certificate Authority tab.
2. Select the Customer Managed tab and then click Generate CSR Certificate.
4. Click Submit.
5. SAM creates the CSR.
6. Select the CSR to view its details.
7. Copy or download the CSR.
8. Submit the CSR to your organization’s certificate authority (CA) to obtain an intermediate certificate authority (ICA) certificate.
The ICA certificate requires the basic constraint CA:true.
9. Choose Configure > SaaS Apps: SSL Optimization and select the Certificate Authority tab and then select the Customer Managed tab.
10. Click Click here to upload the signed CA.
11. Choose an upload method:
– Upload Certificate File (PEM format only)
– Paste Certificate Text (PEM format only)
12. Click Upload.
To change certificates
1. Ensure that you have deployed the RCA from SAM to end-user client systems.
2. In SAM, choose Configure > SSL Optimization and select the Certificate Authority tab and then select the tab with the currently active certificate (Riverbed Managed or Customer Managed).
3. Select the active certificate and click Off under Status.
4. Select the tab (Riverbed Managed or Customer Managed) with the certificate you want to activate and click On under Status.
To delete a certificate
1. In SAM, choose Configure > SSL Optimization.
2. Select the certificate or CSR and select Actions > Delete CA/CSR.
You are prompted to confirm this action.
3. Click Confirm.
The root CA certificate or CSR is removed from the system and new SaaS connections will not be accelerated.