You can now use a built-in trusted certificate authority (CA) bundle for the TLS Inspection chain of trust to support advanced security applications such as IDS/IPS, URL filtering, malware, and granular App ID.
You can use the built-in CA bundle, default_trusted_public_ca_bundle
, internally for the TLS inspection and decryption for gateway firewalls.
For external services, TLS Proxy requires a configured trusted CA bundle to validate the certificate that any external service presents to it. You can configure the External_Decryption_Profile.trusted_ca_bundles with one or more CA bundles where each bundle is a list of certificates. You must configure at least one CA bundle. Typically, external services use well known CAs such as Verisign and DigiCert. So, for ease of configuration, NSX includes a built-in default_trusted_public_ca_bundle that contains a list of widely used CA certs, similar to how operating systems come pre-installed with popular CA certs. You can update this bundle or you can create your own CA bundle and use it instead.
- Validate TLS inspection and decryption using the default trusted CA bundle.
- View all certificates in the CA bundle including filtering basic details using the View All Certificates button.
- Search for expired, expiring, valid, used and unused CA bundles using the View All Certificates button.
- Edit CA bundle display name and add or remove certificates from the bundle.
- Export a CA bundle for inclusion on other devices.
- Copy the CA bundle path locally.
- Import a new trusted CA bundle using the Import CA Bundle button.