Skip to content

Secure Proxy Certificate

Connections from the browser to our secure proxy will be protected by the Secure Proxy Certificate. There are several methods to generate this certificate. Unfortunately, the easiest method to generate the certificate using Admin UI will not work in cloud deployments, see this issue for more information.

Generate Using Root CA and OpenSSL

One way to generate the secure proxy certificate requires the use of Root CA authority we used for HTTPS decryption and OpenSSL toolkit.

The idea here is that as we are going to enable HTTPS decryption on our proxy anyway and when doing that, we will have to generate our own Root CA self signed certification authority. We will then re-use this authority to also generate a secure proxy certificate. As our browsers need to trust our Root CA for HTTPS decryption, they will also automatically trust our secure proxy certificate.

So download the myca.pem file from C:\ProgramData\Diladele\etc folder and use it in the following OpenSSL commands. See this Microsoft Azure document for more information.

$ openssl req \
    -newkey rsa:2048 \
    -nodes \
    -keyout secure_proxy.key \
    -subj "/C=NL/ST=Noord-Holland/L=Amsterdam/O=Example B.V./OU=IT/CN=secure-web-filtering-proxy.westeurope.cloudapp.azure.com" \
    -out secure_proxy.csr

$ openssl x509 \
    -req \
    -extfile <(printf "subjectAltName=DNS:secure-web-filtering-proxy.westeurope.cloudapp.azure.com") \
    -days 732 \
    -in secure_proxy.csr -CA myca.pem -CAkey myca.pem -CAcreateserial \
    -out secure_proxy.crt

$ cat secure_proxy.key secure_proxy.crt > secure_proxy.pem

The subj parameter is filled as indicated in the following table. Note how we set the Common Name parameter and subjectAltName extension to the fully qualified name of our secure proxy.

Question Sample Answer
Country Name NL
State or Province Name Noord-Holland
Locality Name Amsterdam
Organization Name Example B.V.
Organizational Unit Name IT
Common Name secure-web-filtering-proxy.westeurope.cloudapp.azure.com

The last command concatenated the private key and certificate for the proxy together as this is how the Admin UI requires it to be.

To dump the contents of the certificate use openssl x509 -in secure_proxy.crt -text -noout command.

Import Secure Proxy Pem into Admin UI

We now need to import the secure_proxy.pem file into Admin UI. So open the Proxy Settings, select Secure Proxy node and click the Import button as shown on the following screenshot.

Import Secure Proxy Certificate

Click Open and verify the Common Name shown on the secure proxy certificates properties is indeed secure-web-filtering-proxy.westeurope.cloudapp.azure.com.

Common Name of Secure Proxy Certificate

Configure Browser for Secure Proxy

We will use Mozilla Firefox as our test browser, so navigate to Options / Connections / Proxy tab. Select the Automatic Proxy Configuration Script option and type the following line into it as-is. Microsoft Edge and Google Chrome can be configured easily using this article as a reference.

data:,function FindProxyForURL(u, h){return "HTTPS secure-web-filtering-proxy.westeurope.cloudapp.azure.com:8443";}

Validate Secure Connections

The final step is to navigate to some web site and make sure the connection is done using TLS at port 8443. The following screenshot of wireshark output confirm our expectations - the traffic between the browser and the proxy is indeed secure and takes place over port 8443.

Wireshark Interception of Secure Web Proxy