SSL for SaaS Tab

Configuration > Overlays & Security > SSL > SSL for SaaS

The SSL for SaaS tab lists signed substitute certificates for your appliances if you choose to decrypt SSL traffic. To fully compress SSL traffic for a SaaS service, the appliance must decrypt the traffic and then re-encrypt it. To do this, the appliance generates a substitute certificate that a Certificate Authority (CA) must sign.

To decrypt or not decrypt SSL traffic for an appliance, click the edit icon associated with the appropriate appliance in the table. The SSL for SaaS dialog box opens.

TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, view the Security Algorithms and Cipher Profiles PDF.

SSL for SaaS Dialog Box

Use the SSL for SaaS dialog box to indicate whether to decrypt SSL traffic for an appliance. If you choose to not decrypt traffic, the traffic will move more quickly, but it will not be encrypted or compressed. If you choose to decrypt traffic, you must choose to use the built-in CA certificate or a custom CA certificate.

NOTE: To avoid browser warnings, import the applicable CA certificate into the Trusted CA Store on the client-side browser.

For a built-in CA certificate, the signing authority is HPE Aruba Networking.

  • The appliance generates the certificate locally. Each certificate is unique. When compliance is not a significant concern, this option works well for a Proof of Concept (POC).

  • To view current certificate content, click the View link.

  • To obtain a certificate copy, click Download under the Built-In CA Certificate area of the dialog box.

  • To regenerate the certificate, click Regenerate.

For a custom CA certificate, the signing authority is the enterprise CA.

  • If you already have a subordinate CA certificate, such as an SSL proxy, you can upload it to the Orchestrator and push it out to the appliances.

  • To obtain a certificate copy, click Download under the Custom CA Certificate area of the dialog box.

  • If the certificate is subordinate to a root CA certificate, install higher-level SSL CA certificates into the SSL CA Certificates template so the browser can validate up the chain to the root CA.

  • If you do not have a subordinate CA certificate, from the Appliance Manager for any appliance, navigate to Configuration > Policies > SaaS Optimization, and then generate a Certificate Signing Request (CSR).

To obtain and use a subordinate CA certificate:

  1. Click Generate Certificate Signing Request (CSR). The Certificate Information dialog box opens.

  2. Complete the fields, and then click Generate.

  3. Save the CSR and private key.

  4. Submit the CSR to your enterprise CA to obtain a subordinate CA certificate.

  5. After obtaining approvals and the subordinate CA certificate, click Upload and Replace to import it.