SSL for SaaS Template
To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.
To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA).
There are two possible signers:
-
For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.
-
The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.
-
To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.
-
-
For a Custom CA Certificate, the signing authority is the Enterprise CA.
-
If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.
-
If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.
-
If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).
-
TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, view the Security Algorithms PDF.