Configuring SaaS proxy certificates
Proxy certificates are certificates specific to a particular SaaS domain that are signed by a CA trusted by the client applications inside your network. SaaS proxy certificates allow the Cloud-hosted SteelHead to intercept and accelerate secure sessions between the SSL-based client and server applications.
Note: SteelHead SaaS does not support self-signed SaaS proxy certificates; it only supports CA-signed SaaS proxy certificates.
Proxy certificates can come from either of these sources: a third-party, cloud-hosted CA or a CA within your enterprise.
To change the type of Certificate Authority
1. Log in to the Riverbed Cloud Portal.
2. Select Cloud Accelerator to display the Cloud Accelerator page.
3. Select SaaS Platforms to display the SaaS Platforms page.
4. Under Proxy Certificate Authority, the CA used to sign the SaaS server proxy certificates appears. Click change mode to select one of these options:
• Cloud-Hosted CA- In this mode a third-party, cloud-hosted CA signs the proxy certificates.
• Customer CA - In this mode your company’s CA signs the proxy certificates.
In the SaaS Platforms page, under Manage SaaS Platforms, select the name of a SaaS platform listed in the table to display the SaaS Service Details page. The section under SaaS Platform Proxy Certificates changes depending on the CA mode that you select on this SaaS Platforms page.
To use proxy certificates issued by a third-party, cloud-hosted CA
1. Select Cloud Accelerator to display the Cloud Accelerator page.
2. Select SaaS Platforms to display the SaaS Platforms page.
3. Under Proxy Certificate Authority, click change mode and select the Cloud-Hosted CA mode.
4. Click View/Download CA Certificate to download the CA certificate from the Riverbed Cloud Portal.
5. Install the certificate on all clients that access the SaaS application by either:
• adding it directly to the client’s browser.
or
• adding it to the certificate store of the client’s Windows operating system.
6. Optionally, click Request New Proxy Certificate Authority to regenerate the proxy CA and confirm your request.
Note: Regenerating the proxy CA might disrupt existing SSL connections.
7. In the SaaS Platforms page, under Platform, click the name of the platform to display the SaaS Service Details page.
8. Under SaaS Platform Proxy Certificate, select the Proxy Certificates tab to display the list of SaaS hostnames and their proxy certificate status.
9. Select Request New Proxy Certificate (in the last column) to regenerate the proxy certificate for the SaaS platform and sign it using the trusted CA.
10. Import the certificate into your preferred browser on the client system. Consult your browser vendor’s documentation for details about how to import proxy certificates.
To use proxy certificates issued by your enterprise CA
1. Select Cloud Accelerator to display the Cloud Accelerator page.
2. Select SaaS Platforms to display the SaaS Platforms page.
3. Under Proxy Certificate Authority, click change mode.
4. Select the Customer CA mode and then click Update.
5. In the SaaS Platforms page, under Platform, select the name of the platform.
6. Under SaaS Platform Proxy Certificate, select the Proxy Certificates tab to display the list of SaaS hostnames and their Certificate Signing Request (CSR) status.
7. Select Generate New CSR (in the last column of the table) to generate a new CSR for that SaaS hostname.
8. Select Download CSR in the table to download the CSR that you generated for your computer.
9. Use the CSR to obtain your CA’s signature on your proxy certificate.
10. Select Upload Certificate in the table (next to the specific SaaS hostname).
11. Select the signed proxy certificate from your local file system or copy and paste the certificate details and click Upload to upload the proxy certificate for the specific SaaS hostname.