Skip to main content

Netskope Help

Certificates

Netskope certificates are used by default to trust devices. The Netskope proxy provides the following types of certificates:

  • Trusted Central Authority (CA)

  • Certificates for SSL/TLS Decryption

By default, the Netskope platform blocks connections to sites with untrusted certificates. The trusted certificates feature provides the ability to upload private, custom, and uncommon CAs to the Netskope platform. This allows you to ensure that Netskope trusts sites that are signed by a CA that is either private, or one that’s is not in our common CA store.  

Prior to this feature, the only way to make this work was to allow untrusted certificates, which was a global setting (Error Settings under Steering Configuration), and would weaken security if enabled. The uploaded trusted certificates only apply to the tenant where the certificate is uploaded.

The certificate file must have a specific structure and be in PEM format. The Intermediate and Root certificates need to be combined into a single PEM file. The order of those two certs in that PEM file must be Intermediate first, and then Root below it. Finally, upload the .PEM file to the Netskope UI.

  1. Go to Settings > Manage > Certificates.

  2. In the Trusted CA tab, click New Trusted Cert.

    CertNewTrusted.png
  3. Enter a name, click Select File, and upload your certificate in PEM format.

    CertNewTrusted1.png
  4. Click Validate.

    CertNewTrusted2.png

    To add another certificate, click the +New Cert link.

  5. When the Valid Certificates message appears, click Save.

    CertNewTrusted3.png

The certificate you just created appears on the page.

CertNewTrustedPage.png

The certificate name, status, common name, expiration date, and last modification date are shown in the table . Click the Preview icon The View icon. to see a detailed view of the certificate.

CertTrustedPreview.png

To customize the columns on the page, click the gear icon GearIcon.png and specify the columns you want to see.

To sort certificates shown on the page, use the Sort By dropdown list.

CertNewTrustedSort.png

To download, rename, deactivate, and delete certificates, use the buttons above the listings or use the popup beside each listing.

CertMenu.png

The Netskope proxy decrypts TLS/SSL traffic at scale. You can decrypt TLS/SSL traffic using these methods:

Note

The Netskope certificates are the default active certificates. Multiple custom certificate sets can be created, but only one certificate set can be used (i.e., be active) at one time. Make sure the active Root CA is deployed on your end-user devices.

To begin, you can go to the Signing CA tab. The certificate name, status, common name, and expiration date are shown in the table. Click the Preview icon The View icon. to see a detailed view of the certificate. Once familiar with the Signing CA page, proceed to the sections below.

SignedCertsPage.png

You can use Netskope’s issued Root and Intermediate CA certificates for TLS/SSL interception of inline traffic. The certificate gets auto-installed with Netskope Client installation. You can download these certificates so you can upload them to the end-user device trusted store.

To download and install the Root or Intermediate CA manually:

  1. Go to Settings > Manage > Certificates.

  2. Click the Signing CA tab.

  3. Locate the Netskope Certificate and click the Download icons to download each type of certificate.

SignedCertsDownload.png

Netskope Client automatically installs the Root certificate.

You can create a Certificate Signing Request (CSR), get it signed by your trusted CA, and then upload it to Netskope. You can upload the Root and Intermediate CA certificates (one per file), or upload the entire certificate chain (in a single file), in PEM format.

  1. Click New Signing CA and select Create Certificate CSR

    SignedCertsCreate.png
  2. Enter these parameters:

    • Signing CA Name: Required. This name appears in the Name and Status column of the Signing CA page.

    • Common Name: Required. This name appears in the Common Name column of the Signing CA page.

    • Organization: The full legal name of your organization including the corporate identifier. This field is optional.

    • Organization Unit: Your department such as "Information Technology" or "Information Security". This field is optional.

    • Email Address: The email address of your organization. This field is optional.

    • Country: The official two-letter country code (i.e. US, CH) where your organization is legally incorporated. This field is optional.

    • State: The state or province where your organization is legally incorporated. This field is optional.

    • City: The locality or city where your organization is legally incorporated. Do not abbreviate. This field is optional.

    SignedCertsCreate1.png

    Key algorithm and key size cannot be changed. When finished, click Save and Continue.

  3. Copy or download the CSR and get it signed by your CA. When you have it, click Next.

  4. Enter a name for the certificate file, and click Select File. Locate and upload the file. If you are uploading individual files instead of a certificate chain, click + New Cert to upload subsequent files.

    SignedCertsCreate3.png

    When finished, click Validate. After validation is complete, you can use the Status toggle to make the certificates active, or do so later on the main Signing CA page. Click Save.

You can import signing certificates from your CA along with the associated private key.

  1. Click New Signing CA and select Import Certificate.

    SignedCertsImport.png
  2. Enter a signing CA name and a file name, and then click Select File. Upload either the CA Root and Intermediate certificate files individually or the certificate chain in a single file. To upload subsequent certificate files, click + New Cert, and then enter a file name and click Select File again.

    SignedCertsImport0.png
  3. For Private Key, click Select File to upload your private key, and if a passphrase is used, enter it in the Passphrase text field.

  4. When finished, click Validate. After validation is complete, you can use the Status toggle to make the certificates active, or do so later on the main Signing CA page. Click Save.

    SignedCertsImport1.png

To use your custom certificates (if not already active), first add them, click the MenuIcon.png icon to the right of the certificate, and then select Activate.

SignedCertActivate.png

You can use your on-premises hosted HSM to sign a certificate that Netskope can use to generate an emulated certificate for TLS/SSL interception of inline traffic.

  • Create a private key pair inside the Key Management Interoperability Protocol (KMIP) server

  • Export the private key to a local secure system

  • Generate a CSR for the intermediate custom CA certificate and delete the private key

  • Sign the intermediate certificate using Root CA

  • This intermediate certificate will be used as the tenant certificate for the specific tenant only

  • You must provide the intermediate certificate to Netskope while keeping the private key inside the KMIP server

Before configuring an on-prem CA, ensure you have:

  • A Key Management System (KMS) server with KMIP SIGN operation support (e.g., CipherTrust Manager 170v, version 2.0.0)

  • A KMIP

  • An RSA private key cryptographic object in KMIP server

  • An RSA Key Pair (See Creating an RSA Key Pair in CipherTrust Manager)

  • Created pinhole egress-IP firewall rules that allow the following IP addresses:

    31.186.239.163/24
    163.116.128.36/24
    163.116.131.70/24
    163.116.160.5/24
    163.116.206.32/25
    163.116.206.2
    163.116.148.2
    163.116.171.24
    163.116.185.2

To connect an on-prem CA:

  1. Go to Settings > Manage > Certificates.

  2. Click the Signing CA tab.

  3. Click New Signing CA and then Connect On-Prem Certificate.

  4. In the Connect On-Prem Certificate window:

    • CA Profile Name: Enter a name for the signing CA.

    • Tenant CA: Upload the following certificates.

      • Intermediate Certificate: Upload your custom intermediate CA. If you only have a root certificate, you can upload it here and leave the certificate chain empty.

      • Certificate Chain (Optional): Upload any other custom intermediate CAs that complete the chain to the custom intermediate or root CA you uploaded above.

    • KMIP CA-Private Key Name: Enter the KMIP key name for the custom CA certificate private key.

    • KMIP Primary Host & Port: Enter the on-prem KMIP (KMS) server primary destination host and port.

    • KMIP Alternate Host (Optional): Enter an alternate KMIP supported host for redundancy. You must enter a valid hostname or public IP address. Private IP addresses are blocked for security reasons.

    • Status: Enable or disable the certificate.

    The Connect On-Prem Certificate window on the Certificates page.
  5. Click Validate and then Save.

KMIP Forwarding provides the ability to leverage an on-premises key manager with Netskope’s encryption. This functionality is available only on the virtual appliance. For TLS mutual authentication of KMIP requests from the Netskope cloud to your on-premise KMIP server, you must upload the KMIP client and server CA certificates.

To configure KMIP forwarding:

  1. Go to Settings > Security Cloud Platform > On-Premises Infrastructure.

  2. Under KMIP Forwarding, do the following:

    • KMIP Client Certificate: Upload the KMIP client certificate, which Netskope uses to communicate with the on-premises key manager.

    • KMIP Server CA Certificate: Upload the KMIP server CA certificate, which Netskope uses to validate the server certificates used by the on-premises key manager.

    KMIP Forwarding section in On-Premises Infrastructure
  3. Contact your Netskope Sales Representative to help validate the certificate configurations and end-to-end connectivity to the on-premise key manager.

  4. Upload the Root CA for this certificate in the trusted store on end-user devices and browser stores for TLS/SSL interception.

Note

Only one certificate can be active for TLS/SSL decryption.

To create an RSA key pair and export it to a local secure system to generate a custom CA in CipherTrust Manager k170v:

  1. Go to Keys & Access Management.

  2. Click Create a New Key.

  3. Enter the following information:

    • Key Name: Enter a name for the key.

    • Algorithm: Choose RSA.

    • Size: Choose 2048.

    • Key Owner: Enter local|global so Netskope can access the key.

    Key Metadata section in CipherTrust Manager
  4. In the Key Properties section:

    • Alias (KMIP Name): Set it to the key name you created in Step 3.

    • Key Properties: Select the following properties.

      • Sign

      • Verify

      • Certificate Sign

    The Key ­Properties section in CipherTrust Manager.
  5. In the Key Behaviors section, deselect the following:

    • Prevent this key from being deleted

    • Prevent this key from being exported

    The Key ­Properties section in CipherTrust Manager.
  6. Click Create to generate the public and private crypto objects.

    The custom public and private key in CipherTrust Manager.
  7. Click the private key object and copy the unique ID assigned from the KMS server. In this example, it's 93f041c115034b7eb3398eaeeac37002fa5954e6ab934513ae298d66cb62e2fd.

    The unique ID for the custom private key in CipherTrust Manager.
  8. On the top right, click API.

    The API option in CipherTrust Manager.
  9. Authenticate to use REST API, so you can download the private key material.

    The API Authenticate window in CipherTrust Manager.
  10. On the left pane, go to Keys.

    Keys section in the Thales API Guide
  11. Select the Export API and enter the unique ID you copied in Step 7.

    The Export POST in the Thales API Guide.
  12. Click POST to run the API. Following is the response from the POST request, which will include all the details for the created RSA key pair:

    Export POST request in the Thales API Guide
  13. The private key can be found in the material field. Copy to a file and use it in CSR creation.

To revoke a certificate, deactivate the current activated certificate and activate the new certificate to be used. Once the new certificate is activated, the previous certificate is no longer valid for SSL/TLS decryption and it will be purged from all our data plane nodes.

After you upload a signing certificate to Netskope, Netskope initiates the following processes:

  • Generates and uses an encryption key specific to your organization to encrypt your certificate using Netskope’s key management system (KMS).

  • When users access a domain over HTTPS, Netskope:

    • Calls its KMS to decrypt the user-provided certificate and loads the certificate into the system memory.

    • Generates a server certificate for the destination site signed by your signing certificate.

    • Uses the server certificate to complete the HTTPS connection while allowing inspection of the user traffic by the proxy.