02-06-2009 09:20 AM
Hi,
how can I get a trusted root certificate with its private key to upload into WSA?
We run a corporate CA and can sign user and server certificates without problem. When I create a certificate request (with OpenSSL as explained in the Ironport knowledge base) and get it signed in our CA, on uploading the two files, the WSA tells me it would be server cert and no root certificate. This way at least I'd be able to provide the private key...
If I'd try to upload our corporate (and public) root CA certificate, I will never get the private key, because our CA is a sub CA of German telekom...
I also exported the self made root certificate, converted it into a cert request and tried to get it signed by our CA but then the CA complains about the certificate having only 1024 byte encryption, they want at least 2048...
Any hints welcome, thx!
02-10-2009 03:42 PM
johanssen,
As you discovered, you are making server certificates using your own CA certificate, which will not work for the IronPort HTTPS decryption service.
The WSA HTTPS decryption works very much like the CA that you have - except the WSA makes server certificates on the fly, spoofing the real server certificate's data.
The only way for you to use your own "trusted" certificate, is to do one of the following:
1. Obtain both the public and private keys for your CA and import them into the WSA.
Since this seems to not be an option for you..
2. Have a 'child' Intermediate CA cert signed by your root CA and import the public and private keys of the intermediate cert into the WSA.
This will create a chain of trust so that all server certs created by the WSA are trusted by the Intermediate Certificate. The Intermediate certificate is trusted by your Root and therefor the chain of trust is valid.
03-09-2011 01:39 PM
Ok, I'm with you on option two. The problem is that when I request a certificate and choose to make the key exportable (Microsoft CA), it issues the key in a .pvk format which Ironport doesn't like. Is there an easy way to convert it to the regular .key format. Openssl doesn't seem to be able to do it. Am I missing an obvious way to do this?
Thanks.
02-27-2009 11:04 AM
Hi Josh,
you wrote:
2. Have a 'child' Intermediate CA cert signed by your root CA and import the public and private keys of the intermediate cert into the WSA.
02-27-2009 10:40 PM
If you have the root certificate and private key, you can use OpenSSL to generated an intermediate signing certificate.
I've gotten these commands to work, but it's not always so simple. I seem to always run into snags when using OpenSSL. I won't really be able to help much beyond these commands.
:: Generate Intermediate private key + CSR and sign it
openssl genrsa -des3 -out intermediate.key 2048
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
openssl ca -extensions v3_ca -days 365 -out intermediate.cer -in intermediate.csr -config openssl.cnf
openssl ca -extensions v3_ca -key ca.key -cert ca.cer -days 365 -out intermediate.cer -in intermediate.csr -config openssl.cnf
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: