The Blog


Olfeo On-Premise knowledge base
June 5, 2023

How to use the certificate and key from the certification authority for SSL decryption


To decrypt SSL streams from HTTPS pages, you need to configure SSL decryption. This module requires a "Trusted Root Certification Authority" certificate.

If you have a certification authority, you can extract the certificate and key for use in this process. This certificate of authority will create signatures to encrypt flows between the Olfeo web security gateway and the client.

Note: if you don't have a certification authority, you can generate a self-signed certificate, which you can deploy via GPO in the "Trusted Root Certification Authority" store on client workstations. See this article for certificate creation: https: //



Connect to the MS Windows server that has the Active Directory Certificate Services role.

Open Server Manager, click on Tools and select Certification Authority:

In the new window, right-click on your certification authority, select All tasks and then Backup certification authority... :

The Certification Authority Backup Wizard appears, click Next

In the next step, check the Private key and CA certificate option, then define the location of the files by clicking on Browse... :

In the next step, leave the password blank and click Next :


Please note that certificates protected by password or passphrase are not supported.


Click on Finish to finalize the operation.

You obtain a PKCS12 file (.P12 extension) containing your authority's certificate and private key:

In order to import these elements into the Olfeo web security gateway, you need to extract the contents of this file. To do this, you can use various tools depending on your operating system:

  • XCA (MS Windows)
  • openssl (Linux)

XCA (MS Windows)

Download and install the XCA tool: https: //

Create a new database by clicking on File then New database :

In the new window, specify a location for the database (.xdb file) and enter a password, then click OK.

Click on the Import menu and select PKCS#12:

Specify the location of the file with the .P12 extension

In the new window, click on Import all:

To export the private key, click on the Private keys tab, select the key and click on Export.

Save the file in PEM format (*.pem) :


Be careful to change the default file location, as an error message will appear if you don't customize this field.


Repeat the same operation in the Certificates tab :

openssl (Linux)

To export the private key, run the following command:
openssl pkcs12 -in fichier.p12 -nocerts -out private.key

To export the certificate, run the following command:
openssl pkcs12 -in file_name.p12 -clcerts -nokeys -out public.crt



To import these elements into the SSL decryption configuration, go to the Proxy Cache QoS menu and click on the SSL Global Options tab.

Import the certificate and private key on this page, then click on the Validate button.