Adding a trusted certificate

To decrypt SSL connections, you need to add one trusted certificate that will be used to sign certificates sent to clients; you also need to add the private key of this certificate. You can add a root or intermediate certificate, or a previously generated self-signed certificate. It is more secure to upload an intermediate certificate rather than a root certificate because in the event of a compromise, the root certificate is not compromised.

After adding a certificate to decrypt SSL connections, you need to make this certificate trusted by browsers on computers of users. To do this, you need to add the certificate to the list of trusted certificates in the local store on users' computers.

With some browsers (for example, Mozilla Firefox), you also need to add the certificate to the browser store.

You can upload only one certificate. This certificate becomes the active certificate.

To add a certificate:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select General.
  3. Set the Decrypt encrypted connections toggle switch to On.
  4. Add the certificate. To do so, click the Select button to open the file selection window and select the certificate file. If the certificate cannot be uploaded, an error message is displayed with the reason why.

    The certificate must satisfy the following requirements:

    • The file must be in a text format (PEM) or binary format (ASN.1).
    • We recommend using a .crt, .cer, .cert, or .pem file. However, other formats are permitted.
    • The certificate must be valid. You cannot download an expired certificate or a certificate that has not yet become valid.
    • The Common name must be specified.

    After the certificate is successfully uploaded, detailed information about this certificate is displayed.

  5. Upload the private key of the certificate. To do so, click the Select button to open the file selection window and select the private key file.

    The private key must satisfy the following requirements:

    • The key must be encrypted with a password.
    • The password must match the downloaded certificate.
  6. In the opened window, enter the password for the private key of the certificate and click OK.
  7. Apply the OSMP policy changes by clicking the Commit and push button.

The certificate and private key are saved in the OSMP policy.

To avoid unauthorized access to traffic, the private key file must be stored in a secure location.

Page top