Link Search Menu Expand Document

SSL for SaaS Template

To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.

To do so, the appliance generates a substitute certificate that then must be signed by a Certificate Authority (CA).

img

There are two possible signers:

  • For a Built-In CA Certificate, the signing authority is HPE Aruba Networking.

    • The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.

    • To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.

  • For a Custom CA Certificate, the signing authority is the Enterprise CA.

    • If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.

    • If this substitute certificate is subordinate to a root CA certificate, also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.

    • If you do not already have a subordinate CA certificate, you can access any appliance’s Configuration > Templates & Policies > Applications & SaaS > SaaS Optimization page and generate a Certificate Signing Request (CSR).

TIP: For a historical matrix of EdgeConnect and Orchestrator security algorithms, view the Security Algorithms PDF.