Netskope Help

Configure Certificates

Server side certificates are required to enable SSL inspection. You can use either a self-signed CA certificate or a CA certificate preferably signed by the enterprise's Root or intermediate CA. See Use your own CA certificates.

Alternatively, the applianceSecure Forwarder can generate a self-signed certificate without CA. See Generate a self-signed certificate without CA.

Use your own CA certificates

Make sure that the CA certificate of the applianceSecure Forwarder has a common name.

  1. Enter the command:

    set dataplane forward-proxysecure-forwarder server-cert

    Copy and paste your CA certificate in the buffer, press Enter , then type Ctrl-D to exit.

  2. Enter the command:

    set dataplane forward-proxysecure-forwarder server-key

    Copy and paste your private key in the buffer, press Enter , then type Ctrl-D to exit.

  3. Enter the command:

    set dataplane forward-proxysecure-forwarder server-intermediate-ca-chain

    Copy and paste any additional certificates in the following order:

    1. Server certificate (as provided in step 1)

    2. Intermediate CA certificate 

    3. Root CA certificate

     Press Enter , then type Ctrl-D to exit.

  4. Enter save and press Enter to save the configuration.

Generate a self-signed certificate without CA
  1. If you are not using a CA and want the appliance Secure Forwarder to generate a self-signed certificate, run the following command:

    run request certificate generate forward-proxysecure-forwarder self-signed city <city> common-name <common-name> country <country> days <days> email-address <email-address>  organization <organization> organization-unit <organization-unit> state <state>

    Here's an example command to generate self-signed certificate:

    run request certificate generate forward-proxysecure-forwarder self-signed city "Los Altos" common-name "dpappliance.netskope.com""sforwarder.netskope.com" organization "netskope" organization-unit "netskope cert authority" state "CA" country "US" email-address "admin@netskope.com"
  2. Enter save and press Enter to save the configuration.

Verifying the Certificates

To verify that the cloud app traffic is forwarded by the Secure Forwarder to the tenant instance in the Netskope cloud, browse to any cloud app domain managed by Netskope and verify that the SSL certificate presented is the certificate installed on the device.