Precondition

If some decryption rules use the cross-sign CA, cross-sign your own CA using the new CA CSR. Refer to the TMWS Online Help topic: Cross-signing the CA Certificate for TMWS Cloud Proxy.

Steps

To replace the old cert with the new CA, do the following:

1. Log on the management console and go to Policies > Global Settings to download the new HTTPS root ca.

   

2. Deploy the new cert to your clients and make sure your clients have trusted this new CA.

   For steps on how to deploy the certificate, refer to the TMWS Online Help topic: TMWS Certificate Deployment.

    

   Please make sure you have finished the Step 2 before running the following steps or your end users may get certificate untrusted warning message when visiting the Internet.

    
3. Rename the cert name from "current_cloud_ca_cert.cer" to "current_cloud_ca_cert.pem" as the default CA file.

4. Go to Policies > HTTPS INSPECTION > Decryption Rules.

    

   If the Decryption Rules is disabled, enable this feature in the Global Settings page.

    
   1. Click one Rule Name to edit the Decryption Rule.

   2. Click Choose file to select the cert file renamed in Step 2 if using the old default CA, or select the new cross-signed CA prepared in the Precondition.

      

      Then it will show the new default CA info as shown in the following image:

      

      Or show the new cross-signed CA, for example:

      

   3. Click Save.
5. Update all other https policies based on Step 3.
6. Users can add new https policies with the new default CA in default.

Verification

Users can configure one https rule to decrypt all traffic if there is not one that exist before. Then users can trigger the https traffic in the client to check the https cert chain.

• For the default CA:

  

• For the cross-sign CA: