SSL Inspection Certificates
-
Hi,
My enterprise is using Deep SSL Inspection on the firewalls, and all machines -- even servers -- need to install some certificates to access HTTPS destinations.I managed to install those certificates on the xcp-ng hosts using "update-ca-trust"; is there a similar way to do it in XO application?
-
@jqueiroz said in SSL Inspection Certificates:
Hi,
My enterprise is using Deep SSL Inspection on the firewalls, and all machines -- even servers -- need to install some certificates to access HTTPS destinations.I managed to install those certificates on the xcp-ng hosts using "update-ca-trust"; is there a similar way to do it in XO application?
Yes there's a way to do the certificate for the XO application. Also for future reference if you ever re-do a server note that XCP-ng's certificates can be done through the XO application.
-
Don't you love to find the answer by yourself just after asking in the community forum?
- Create directory '/usr/local/share/ca-certificates'
- Copy the needed certificates this place
- Run /usr/sbin/update-ca-certificates [seems not be on the path].
@john-c said in SSL Inspection Certificates:
Also for future reference if you ever re-do a server note that XCP-ng's certificates can be done through the XO application.
Thanks. But, just for clarification, it wasn't the XO/XOA server certificate, was the certificates that sign all the HTTPS pages we visit.
-
@jqueiroz said in SSL Inspection Certificates:
Don't you love to find the answer by yourself just after asking in the community forum?
- Create directory '/usr/local/share/ca-certificates'
- Copy the needed certificates this place
- Run /usr/sbin/update-ca-certificates [seems not be on the path].
@john-c said in SSL Inspection Certificates:
Also for future reference if you ever re-do a server note that XCP-ng's certificates can be done through the XO application.
Thanks. But, just for clarification, it wasn't the XO/XOA server certificate, was the certificates that sign all the HTTPS pages we visit.
I uncovered a much more effective and supported method that that one you done.
Follow the steps in the documentation for the XCP-ng hosts, utilising a certificate chain to include you custom CA certificate.
Not forgetting setting up a custom extra CA for xen orchestra via an additional configuration file documented in the documentation for XO VM.
Also by the way the method you did in the post above will be lost on upgrade, as well as likely not included in the backup feature process of XO application. However the links below will get included in the backup feature and the backup of XO configuration. Plus your method will potentially interfere with software update package which comes from the official repository, that updates the certificate authority certificates and their trusts.
https://xen-orchestra.com/docs/configuration.html#custom-certificate-authority
https://xen-orchestra.com/docs/configuration.html#https-and-certificates