Fine-tune Blocking Traffic on Secure Connections
Configure how certificates are created and signed using your certificate authority.
Skyhigh Security provides a customer CA that you can download and deploy to your endpoints. But, for the best protection, we recommend that you replace the customer CA in the UI by:
- Generating a self-signed CA
- Importing your own CA
The CA that you configure in the UI must also be deployed on your endpoints.
- In Skyhigh CASB, select Policy > Web Policy > Feature Configuration.
- From the Feature Config list, select HTTPS Connection > Customer CA.
- From the Actions drop-down list, select Clone and Edit.
- Provide a name for the feature configuration and an optional comment.
- Click the menu icon in-line with the CA certificate, then select an option from the drop-down list:
- Generate — Complete the fields, then click Save to generate a self-signed certificate authority.
- Import — Separately upload your own CA certificate and private key.
- Export — Locate the CA certificate file named certificate_authority.pem in your Downloads folder.
- Configure how the key pair is generated when a certificate is created using your certificate authority:
- Let Web Gateway generate the server key — Select the key size from the drop-down list: 2048 or 3072.
- Use custom server key — Upload a custom key pair.
- Configure the settings that are used when a certificate is created using your certificate authority:
- Digest — Select a SHA hash function: sha256 or sha384.
- How many days validity for certificates signed by CA — Specify how many days server certificates are valid after they are signed by the certificate authority. Default: 90 days
- Include OCSP responder URL — When selected, this option includes the OCSP responder URL in the server certificate.
- Include Certificate Revocation List distribution point — When selected, this option includes the CRL distribution point in the server certificate.
- Minimum SSL Version allowed — Select the latest TLS version allowed. Only select SSL 3.0 for backward compatibility.
- Maximum SSL Version allowed — Select the earliest TLS version allowed.
- SSL session cache TTL — Specify how long in seconds the SSL session parameters can be stored in the cache.
- Perform unsecure renegotiations — When selected, this option allows attempts to renegotiate a handshake using less secure settings.
- Select Send empty plaintext fragment to include an empty plaintext fragment in communications.
- Select Allow legacy signatures in the handshake to allow legacy signatures to be used in the initial handshake.
- Select an option for configuring the cipher:
- Select cipher by strength — Select High or Medium.
- Configure ciphers manually using OpenSSL Cipher list syntax — Provide a string of OpenSSL symbols in the Manually enter server cipher list field. This information might be needed to decrypt data received from servers that do not support the EDH (Ephemeral Diffie-Hellman) method.
- Click Save.
The named HTTPS Connection configuration is saved.
You can publish saved changes to the cloud now or keep working and publish later.