SSL Certificate

SSL Certificate Basics

SSL Certificate

How do I get to this page?

This page opens when you navigate to Settings > Appliance and click SSL Certificate.

What’s on this page?

SSL (Secure Sockets Layer) encryption protects sensitive information such as login IDs and passwords from being intercepted and misused. On the Rocket, the console SSL certificate is used to establish trust for the Management and Access Pages. When configured as a proxy server, using SSL decryption, the Proxy certificate is required for the client to trust the Rocket to establish the SSL session to the destination host. This is used for selective blocking or unblocking within domains such as google.com and youtube.com, or filtering and reporting on the Full URL Details within a secure connection.

Note: A detailed technical discussion of SSL is outside the scope of this document. For technical information on SSL and related security topics, refer to the Wikipedia article on Transport Layer Security.

The SSL Certificate page consists of two sections:

  • Console Certificate
  • Proxy Certificate

When should I use this?

Use this page to manage SSL certificates for the Rocket Console and Proxy Server.

Console Certificate

r3-00718

The Console Certificate provides trust for encrypting usernames and passwords when admins log into the Rocket administration dashboard. A trusted SSL connection also provides username and password encryption when end users on your network sign into the secure Secure Access Page for the purpose of overriding a blocked site or submitting a blocked site for review.

The Rocket includes a self-signed console certificate that is valid for 39 months. If you prefer to use an SSL certificate issued by a trusted certificate authority, you can install it in place of the self-signed certificate. You can also generate or install your own self-signed SSL certificate.

Important: The hostname on the Network Interfaces page must match the hostname in the proxy certificate.

Installed Console Certificate

This table lists details about the current console certificate. Please note the default console certificate has a lifetime of 39 months after being initialized.

Console Certificate Download Links

r3-00719

For security reasons, some browsers and devices will warn users when visiting an HTTPS site that is using a self-signed or untrusted certificate. These users will need to download, import, and trust the site certificate using the generated links in this section.

  • Web console and access page certificate – Download this certificate for secure access to the Rocket web console and Access Page.

Copy the link in this section to share it with users who need to download the certificate.

Create Self-Signed Certificate

Create Self Certificate

Create Self Certificate2

 

How do I get to this page?

This page opens when you navigate to Settings, click SSL Certificate, scroll down to Replace, then click Create Self-Signed Certificate .

What’s on this page?

The Lightspeed Systems Web Filter ships with a self-signed certificate already installed.

Note: A self-signed certificate provides the necessary encryption for secure administration. Because the certificate is based only on the information you provide in this form, rather than from a recognized certificate authority, it is not intended for general public use.

When should I use this?

If you want to replace or update the built-in certificate with your own information, use the form on this page to create and apply your own self-signed certificate.

The information you enter here will be visible to users who view your certificate information.

Configurable Fields on this Page

  • Fully Qualified Domain Name – Enter the complete domain name for the Lightspeed Systems Web Filter appliance, for example web_filter.example.org
  • Country – Select your country from the dropdown list.
  • State or Province – Select your state or province from the dropdown list.
  • City – Enter your city in this field.
  • Organization – Enter your school, district name, or other organization information here.
  • Department (optional) – This field is optional. Enter your department here, or leave the field blank.
  • Email – Enter the administrator’s email address here.
  • Create button – Click to generate and apply a self-signed certificate with the information you entered in this form.

Import Existing Certificates

Import Existing Certificate

screenshot-172.17.62.150 2016-07-19 08-20-02

How do I get to this page?

This page opens when you navigate to Settings, click SSL Certificate, scroll down to Replace, then click Import Existing Certificate. Click Choose File and navigate to the certificates on your computer. Click Save. 

When should I use this?

If you already have a certificate issued by a Certificate Authority for your domain, you can upload your certificates here. You will need to upload certificates that you have independently downloaded from your websites.

How to Correctly Split and Import an Encrypted Certificate

Note: This only works with a PFX file

The best way to split and import and encrypted certificate is through the use of OpenSSL.

For Windows, you can download OpenSSL here: https://slproweb.com/products/Win32OpenSSL.html

OSX/Linux have OpenSSL built-in. Simply type a command to “locate openssl” or type “openssl -v”

Windows Method

1. Download and install slproweb’s win32 release: Win32 OpenSSL v1.1.0e Light

2. Open CMD

3. CD into C:\OpenSSL-Win32\bin
openssl

4. Copy your PFX into C:\OpenSSL-Win32\bin\

5. Follow the next steps in extracting your keys needed to import to your Rocket. You will be prompted for a pass phrase which will be removed from the certificate.

  • a. Extract unencrypted private key: openssl pkcs12 -in name.pfx -nocerts -nodes -out name.unencrypted.priv.key
  • b. Extract Certificate
  • c. Extract only the certificate: openssl pkcs12 -in name.pfx -nokeys -clcerts -out name.pem
  • d. Extract Certificate Authority Chain
  • e. Extract CA chain: openssl pkcs12 -in name.pfx -nokeys -cacerts -out CAchain.pem. If there are multiple certificates in the chain, they will all be in the same output file.

Web Filter 3 Installation

Requires a single file with the .pem extension.

1. Open each certificate (name.unencrypted.priv.key, name.pem and CAchain.pem) in Notepad++/Sublime Text/Text Wrangler.

Note: Do not use basic pre-installed text editors such as Notepad, as these may break the certificate.

2. Select all text in each file and copy  ( including the =========BEGIN CERTIFICATE========= to the =========END CERTIFICATE=========)

3. Open a new Notepad blank session and paste in the contents in the following order:

  • [Private key] will require the name.unencrypted.priv.key
  • [Certificate key] name.pem
  • [Intermediate key/Certificate Chain] CAchain.pem

WARNING:

Make sure there are no extra blank lines at the end of each certificate. They should look similar to the following:

=========END CERTIFICATE=========

=========BEGIN CERTIFICATE========

NOTE:

Some certificates include extra CN information this can be included into each respected field/PEM file.

  • Ex.
    Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00
    friendlyName: le-a1f16e7d-e433-4590-848b-0fedfd6f8bcc
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    Key Attributes
    X509v3 Key Usage: 10

If the intermediate/Certificate chain is blank, you will need to acquire this from your SSL company

Verifying a Certificate

To verify that the certificate creation or import procedure succeeded, substitute “https” for “http” in the URL for your Lightspeed Systems Rocket appliance. This forces an SSL connection to the appliance.

  • If the certificate is a Self-Signed Certificate, it should give a certificate error but allow access via HTTPS.
  • If it is an officially signed certificate and the certificate matches the host that the client is connecting to, it should allow the HTTPS connection without a certificate error.

The certificate takes effect as soon as you apply it; no appliance restart is needed.

If you receive an error message after applying a certificate, click the back button on your web browser. In most cases, the certificate will be saved and applied correctly.

If you still experience errors, verify with your Certificate Authority that the information in the certificate is correct.

Replace a Certificate

r3-00723

You can create a new or import a certificate file by clicking the Create Self-Signed Certificate, Create Certificate Signing Request, or the Import Existing Certificate buttons.

Create Certificate Signing Request

Create Self Request

Create Self Request 2

If you want to add the Lightspeed Systems Rocket appliance to your existing SSL certificate, click Administration from the dashboard, click SSL Certificate, then click Create Certificate Signing Request to use this wizard to generate a certificate signing request to submit to your certificate authority.

How do I get to this page?

This page opens when you navigate to Settings, click SSL Certificate, scroll down to Replace, then click Create Certificate Signing Request.

Configurable Fields on this Page

  • Fully Qualified Domain Name – Enter the complete domain name for the Lightspeed Systems Rocket appliance, for example web_filter.example.org.
  • Country – Select your country from the dropdown list.
  • State or Province – Select your state or province from the dropdown list.
  • City – Enter your city in this field.
  • Organization – Enter your school, district name, or other organization information here.
  • Department (optional) – This field is optional. Enter your department here, or leave the field blank.
  • Email – Enter the administrator’s email address here.
  • Next button – Click to generate the request, then submit the text in the Certificate Signing Request box to the certificate authority that created your SSL certificate (for example godaddy.com or thawte.com).

After the certificate authority has processed your request, you will receive a Certificate Key and, in cases where the certificate authority is not the root certificate, a Certificate Chain. Paste the certificate key and certificate chain into their respective boxes on the Complete Certificate Request form. To complete the signing request, click Finish.

Create Self Request 3

Note: The Lightspeed Systems Web Filter will return to the Certificate Signing Request page until you complete the request with the keys returned by your certificate authority.

 

Proxy Certificate

If the Rocket is not configured as a Proxy Server, when a user accesses a secure HTTPS site, only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based for the entire domain, rather than for URLs and URL patterns within the domain.

When the Proxy Server is enabled with SSL Decryption, all HTTPS (encrypted) requests can be examined via a trusted Man-In-The-Middle proxy. When a user requests a secure website, such as a banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

Note: A few steps are required to enable HTTPS decryption once you’ve installed the proxy certificate:

  • Decrypt SSL Traffic must be selected (checked) on the Proxy Server page.
  • The client must be configured to use the Rocket as an SSL proxy (either explicitly or through WCCP.)

Installed Proxy Certificate

This table lists the expiration date for the current proxy certificate. If a proxy certificate is about to expire, click Recreate proxy certificate to extend the expiration date. Please note that the default Proxy certificate has a lifetime of 39 months after being initialized.

Important: If you recreate the proxy certificate, you will need to redeploy this certificate to all user devices that use this Rocket proxy server. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

Recreate Proxy Certificate

If a proxy certificate is about to expire, click Recreate the certificate to extend the expiration date. Please note that the default Proxy certificate has a lifetime of 39 months after being initialized.

Important: If you recreate the proxy certificate, you will need to redeploy this certificate to all user devices that use this Rocket proxy server. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.

Proxy Certificate Download Links

For devices that you cannot configure via GPO or ZENworks, users will need to manually install the certificate. In most cases, the proxy certificate Help Link is the best choice for users who need to install the proxy certificate themselves.

You can also find the download links under Settings > Appliance > SSL Certificate > Installed Proxy Certificate.

  • Proxy server certificate used when opting to decrypt SSL traffic – Download this certificate for HTTPS traffic if you have enabled the proxy server.
  • Proxy SSL certificate for Chromebook devices – Download this CRT-formatted SSL certificate for Google device proxy clients (Chromebooks and Android).

r3-00725

Copy the links in this section to share them with users who need to download the certificate.

Tip: See Proxy Server for more information.

Help Link

The Help Link goes to a page that automatically detects the device type and browser, and provides specific instructions to download and import the certificate. Share this link with users who need to install the proxy certificate themselves, without assistance.

This SSL Certificate Self-Service Portal can be accessed by having users visit http://lsaccess.me/proxycerthelp

The Help Link will automatically detect your browser, but will also give you instructions for installing certificates for all OS types. Simply click the dropdown and select the OS you wish to get instructions for.

Click the Download Certificate button to download the certificate and then follow the installation instructions for each OS type.

Learn more about: SSL Certificates

OS/Browser-specific installation instructions

First, download the Proxy Certificate from the link provided on the help page, or from

http://<hostname or IP of Rocket>/lsaccess/proxycert

Install Proxy Certificate with Windows Firefox

  • 1. Select Options
  • 2. Select the Advanced tab
  • 3. Select the Certificates tab
  • 4. Click View Certificates
  • 5. Select the Authorities tab
  • 6. Click Import
  • 7. Browse to the location that you downloaded the ls-rocket.der certificate to in the first step, then click Open
  • 8. In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box
  • 9.Click OK three times
  • 10. Restart Firefox

Note: Firefox has its own trusted certificate store and may not automatically trust your certificate. You have three options to address this:

  • 1. Replace the users’ cert database with one you have that includes the Rocket proxy certificate.
Learn more about: Replacing user cert database
  • 2. Create a script that imports the Rocket proxy certificate on behalf of all users.
Learn more about: Creating a script to import certificates
  • 3. Use the built-in self-help page. Send the user to the proxy cert help page, have them chose their OS, and follow the on-screen instructions to download the proxy cert.

Install Proxy Certificate with OS X Firefox

  • 1. Select Preferences
  • 2. Select Advanced
  • 3. Select Certificates
  • 4. Click the View Certificates button
  • 5. Select Authorities
  • 6. Click the Import button
  • 7. Browse to the location that you downloaded the certificate to in the first step
  • 8. Select the ls-rocket.der file
  • 9. Verify that the checkbox for “Trust this CA to identify websites” is selected and click OK

Install Proxy Certificate with Windows Chrome

  • 1. Go to chrome://settings/
  • 2. Scroll down and select Show advanced settings…
  • 3. Under the HTTPS/SSL section, select Manage certificates
  • 4. Select Trusted Root Certification Authorities
  • 5. Click Import and Next
  • 6. Browse to the location that you downloaded the certificate to in the first step
  • 7. Select the ls-rocket.der file
  • 8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  • 9. Accept the Security Warning
  • 10. Restart the browser

Install Proxy Certificate with Windows Internet Explorer

  • 1. Select Internet Options
  • 2. Select the Content tab
  • 3. Click Certificates
  • 4. Select Trusted Root Certification Authorities
  • 5. Click Import and Next
  • 6. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  • 7. Select the ls-rocket.der file and click Open
  • 8. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish
  • 9. Accept the Security Warning
  • 10. Restart the browser

Install Proxy Certificate with Windows

  • 1. Click Start, click Start Search, type mmc, and then press ENTER
  • 2. On the File menu, click Add/Remove Snap-in
  • 3. Under Available snap-ins, click Certificates, then click Add
  • 4. Under This snap-in will always manage certificates for, click Computer account, then click Next
  • 5. Click Local computer, and click Finish., click OK
  • 6. In the console tree, double-click Certificates
  • 7. Right-click the Trusted Root Certification Authorities store
  • 8. Click All Tasks and then select Import and click Next
  • 9. Browse to the location that you downloaded the certificate to in the first step (you will need to have “All Files (*.*)” selected for the file type
  • 10. Select the ls-rocket.der file and click Open
  • 11. Verify that the Certificate Store is set to Trusted Root Certification Authorities, click next and finish

Install Proxy Certificate with OS X

  • 1. Open Keychain Access
  • 2. Select File
  • 3. Click Import Items
  • 4. Browse to the location that you downloaded the certificate to in the first step
  • 5. Select the ls-rocket.der file
  • 6. Select System for the Destination Keychain option
  • 7. Click the Open button
  • 8. Click the Always Trust button

Install Proxy Certificate with iOS

  • 1. Tap the Install button
  • 2. Tap Done

Install Proxy Certificate with Chrome OS

  • 1. Select Settings
  • 2. Select Show Advanced Settings
  • 3. Under HTTPS/SSL, select Manage Certificates
  • 4. Select the Authorities tab
  • 5. Select Import
  • 6. Browse to ls-rocket-chrome.crt and click open
  • 7. Select the checkbox labeled “Trust this certificate for identifying websites”.
  • 8. Click Ok, then click Done

Chrome Lightspeed S-Mobile Filter

Note: The Chrome Lightspeed S-Mobile Filter is no longer supported for Web Filter 3. Please upgrade to the latest Web Filter release candidate in order to use the new Web Filter for Google Chrome Extension.

Version 1.0.2 of the Chrome Lightspeed S-Mobile Filter is now available.

The Chrome Lightspeed S-Mobile Filter was designed specifically for customers who currently use SSL certificates generated by a Certificate Authority (CA) with their Rocket appliance for mobile filtering. Recent changes to the way Google has been handling certification have led to the occurrence of potential errors in our current Chrome Mobile Filter extension for customers who are using a certificate generated by a Certificate Authority when handling HTTPS traffic.

The Chrome Lightspeed S-Mobile Filter has been developed to solve this issue. All Lightspeed customers who utilize Certificate Authority issued certificates MUST use the Chrome Lightspeed S-Mobile Filter extension, and NOT the regular Chrome Mobile Filter extension.

Note: Cloud Filter customers MUST use the Chrome Lightspeed S-Mobile Filter extension. 

Note: Customers should only be running one extension at time. Customers who are currently running the Chrome Mobile Filter and are upgrading to the Chrome Lightspeed S-Mobile Filter MUST  remove the Chrome Mobile Filter extension through their Google Admin Console. 

Note: Customers who use the default certificate or a self-signed certificate should continue to use the Chrome Mobile Filter.

The following diagram can help you determine which mobile filter extension you should use:

sfilter

You can find the Chrome Lightspeed S-Mobile Filter in the Chrome Web Store. You can push the Chrome Lightspeed S-Mobile Filter to all of your users through the Google Admin Console.