About certificate authorities
Appliances include a pool of preimported certificates from common, trusted CAs. The default list of CAs, as well as settings for adding CAs, is under Optimization > SSL: Certificate Authorities.
A CA is a third-party entity that issues digital certificates and manages security credentials and public keys for message encryption. A CA issues a public key certificate, which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. The CA verifies applicant credentials so that relying parties can trust the information in the CA certificates. If you trust the CA and can verify the CA signature, then you can also verify that a certain public key does indeed belong to whomever is identified in the certificate.
Before adding a CA, it is critical to verify that it is genuine; a malicious CA can compromise network security by signing fake certificates.
You might need to add CAs to the pool if your organization has an internal CA, your certificates are signed by an intermediate or root CA not in the trusted list, or the certificate for a CA in the list is expired or has been revoked and needs replacing.
Replacing an expired or an about-to-expire SSL certificate depends on the type of certificate you want to replace:
- Peer certificate—For details, go to Knowledge Base article
S17054.
- Root CA certificate—For details, go to Knowledge Base article
S30418.
- Proxy certificate—For details, go to Knowledge Base article
S34687.
Generally, you do not need to add certificates if your CA is among those in the trusted list.
If you need to add a CA to the list, you can upload its certificate file or paste its content directly into the Management Console. Importing multiple certificates is supported. When adding a single certificate, you can specify a local name for it.
You can update the appliance’s trusted root store on this page.
About automatically generated and signed certificates
Appliances include a module that can automatically generate self-signed certificates when they encounter requests for traffic from a host for which SteelHead does not have a matching server proxy certificate. The appliance configured with the signing CA certificate clones the certificate sent by the initiating appliance, returns a copy to the initiating appliance, signs the clone with its local signing CA, and then sends the clone to the initiating appliance. This time, the initiating appliance recognizes the certificate as signed by a trusted CA and acceleration continues. The signing appliance retains an entry in its CA trusted root store for future connections, and the entry persists if the appliance is restarted.
This feature behaves much like the SSL Simplification feature in Client Accelerator, with the exception that you must install the signing appliance’s CA certificate on all of its peer appliances. Either server-side or client-side appliances may serve as the signing appliance hosting the CA. You can even place this module on a remote appliance or even a non-Riverbed entity.