SSL for SaaS Template

To fully compress SSL traffic for a SaaS service, the appliance must decrypt it and then re-encrypt it.

To do so, the appliance generates a substitute certificate that must then be signed by a Certificate Authority (CA).

There are two possible signers:

n	For a Built-In CA Certificate, the signing authority is Silver Peak.

•	The appliance generates it locally, and each certificate is unique. This is an ideal option for Proof of Concept (POC) and when compliance is not a big concern.

•	To avoid browser warnings, follow up by importing the certificate into the browser from the client-side appliance.

n	For a Custom CA Certificate, the signing authority is the Enterprise CA.

•	If you already have a subordinate CA certificate (for example, an SSL proxy), you can upload it to the Orchestrator and push it out to the appliances. If you need a copy of it later, just download it from here.

•	If this substitute certificate is subordinate to a root CA certificate, then also install the higher-level SSL CA certificates (into the SSL CA Certificates template) so that the browser can validate up the chain to the root CA.

•	If you don't already have a subordinate CA certificate, you can access any appliance's Configuration > SaaS Optimization page and generate a Certificate Signing Request (CSR).

n	Silver Peak appliances support:

•	Protocol versions: SSLv3, SSLv3.3, TLS1.0, TLS1.1, TLS1.2

•	Key exchanges: RSA, DHE, ECDHE

•	Authentication: RSA

•	Cipher algorithms: RC4, 3DES, AES128, AES256, AES128-GCM, AES256-GCM

•	Message Digests: MD5, SHA, SHA256, SHA284

Tip For a historical matrix of SSL/TLS versions and ciphers for VXOA releases, click here.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.