Managing Certificates for Cloud Use
You can manage certificates for handling SSL-secured web traffic on Web Gateway and make them available for cloud use.
Certificates used to prove authorization of Certificate Authorities (CAs) can be added by generating or importing them on Web Gateway. They can then be made available to Skyhigh Security WGCS when this service is managed on the Skyhigh CASB platform.
When managed on this platform, Skyhigh Security WGCS is part of the solution known as Skyhigh Security Mobile Cloud Security (MMCS) 2.0, which allows mobile devices to be included among the end-user systems that Skyhigh Security WGCS protects.
You can add CA certificates on the Web Gateway interface. The certificates are stored, along with user and group mapping information as configuration for MMCS.
The synchronization process that is in place to synchronize configuration data between Web Gateway and Skyhigh Security WGCS under what is known as the Web Hybrid solution ensures that any MMCS configuration created or modified on Web Gateway is known on Skyhigh Security WGCS.
MMCS configuration data is stored in a database on Skyhigh Security WGCS and read by dedicated services on globally distributed nodes called Points of Presence (PoPs). These nodes serve as VPN gateways. They provide VPN connectivity for the mobile devices of cloud users who are attempting to gain web access.
Managing CA certificates for cloud use on Web Gateway includes:
- Adding and removing certificates
- Testing certificates
Information about expired certificates can be retrieved when a certificate test is performed.
Certificate pinning
Several mobile apps use certificate pinning to ensure they communicate with authorized web servers. This means that issues can arise when Skyhigh Security WGCS replaces a server certificate with a certificate of its own.
You can allowlist the relevant sites, which will exempt traffic going to them from being filtered by the rules for inspecting SSL-secured traffic that are enabled under your web security policy.
A Skyhigh Security-maintained list includes websites that certificate pinning is applied to. Its name is Sites Using Pinned Certificates. You can use this list in an allowlisting rule to exempt traffic going to these sites from further filtering.
Rule for allowlisting mobile apps with certificate pinning
A rule is available for exempting traffic going to mobile apps that use certificate pinning from filtering by rules for inspecting SSL-secured traffic. The rule relies on a list with host and domain names to allow bypassing the filtering for this traffic. The list is maintained by Skyhigh Security.
The rule is contained in the Handle CONNECT Call rule set, which is nested in the HTTPS Scanning top-level rule set. Its name is Tunneled pinned certificate hosts for IPSec mobiles.
The rule sets are part of the default rule set system on Web Gateway after the initial setup. They are not enabled by default and the rule is not enabled either. You can enable them for both on-premise and cloud use.
The HTTPS Scanning rule set and its nested rule sets are also available in the built-in library within the HTTPS Scanning group.
Test a device certificate for cloud use
You can test a certificate on Web Gateway that is intended for a cloud user device.
A device certificate is used to secure communication on a device that is operated by an end user when working in the cloud. The test checks the validity of a device certificate.
A device certificate is valid if there is at least one certificate among the CA certificates for cloud use stored on Web Gateway with a CA that authorizes the tested certificate.
- Select Configuration | Appliances.
- In the navigation pane, select Mobile Cloud Security.
- Under Device Certificates Test click Test Device Certificates.
- Provide a device certificate for testing.
- In the Certificate Test window, click Browse.
- Select a device certificate file from your file system, then click Open to make the certificate available for testing.
NOTE: If you are running the HTML-based user interface, you must upload suitable files before, using the particular file management options that are provided.
You are returned to the Certificate Test window.
- Click Test to test the file that you have made available.
The test result is displayed at the top of the window.
- Click Close to close the test window.
If the test shows that the device certificate is valid, you can use it for securing communication on a cloud user device.