Link Search Menu Expand Document

SSL Certificates Tab

Configuration > Overlays & Security > SSL > SSL Certificates

EdgeConnects provide deduplication for SSL-encrypted WAN traffic by supporting the use of SSL certificates and other keys. An EdgeConnect decrypts SSL data using the configured certificates and keys, optimizes data, and transmits data over an IPSec tunnel. The peer EdgeConnect uses configured SSL certificates to re-encrypt data before transmission.

  • Peers that exchange and optimize SSL traffic must use the same certificate and key.

  • For the SSL certificates to function:

    • Tunnels must be in IPSec or IPSec UDP mode for both directions of traffic.

    • TCP acceleration and SSL acceleration must be enabled in the Optimization Policy.

The SSL Certificates tab summarizes the SSL certificates installed on appliances for decrypting non-SaaS traffic.

TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, view the Security Algorithms PDF.

SSL Certificates Dialog Box

Use the SSL Certificates dialog box when the server is part of your enterprise network and has its own enterprise SSL certificates and key pairs.

NOTE: For SSL decryption of SaaS services, use the SSL for SaaS tab (Configuration > Overlays & Security > SSL > SSL for SaaS). Because SaaS servers are external to your enterprise network, the appliance creates a substitute certificate, which then must be signed by a Certificate Authority (CA).

Use this dialog box to load the certificate and key directly into the appliance.

  • You can add either a PFX certificate (generally, for Microsoft servers) or a PEM certificate. If the PFX Certificate File check box is not selected, the default certificate is PEM.

  • If the key file has an encrypted key, enter the passphrase needed to decrypt it.

Before installing the certificates:

  • Configure the tunnels bilaterally for IPSec mode.

    To do so, navigate to Configuration > Networking > Tunnels > Tunnels, and then click the edit icon for the appropriate tunnel. The Tunnels dialog box opens. Click the edit icon for the appropriate tunnel, and then set the Mode field to IPSec.

  • Verify that TCP acceleration and SSL acceleration are enabled.

    To do so, navigate to Configuration > Templates & Policies > Policies > Optimization Policies, and then review the Set Actions.