how to obtain a trusted root certificate? (https proxy)

johanssen · ‎02-06-2009

Hi,
how can I get a trusted root certificate with its private key to upload into WSA?

We run a corporate CA and can sign user and server certificates without problem. When I create a certificate request (with OpenSSL as explained in the Ironport knowledge base) and get it signed in our CA, on uploading the two files, the WSA tells me it would be server cert and no root certificate. This way at least I'd be able to provide the private key...

If I'd try to upload our corporate (and public) root CA certificate, I will never get the private key, because our CA is a sub CA of German telekom...

I also exported the self made root certificate, converted it into a cert request and tried to get it signed by our CA but then the CA complains about the certificate having only 1024 byte encryption, they want at least 2048...

Any hints welcome, thx!

jowolfer · ‎02-10-2009

johanssen,

As you discovered, you are making server certificates using your own CA certificate, which will not work for the IronPort HTTPS decryption service.

The WSA HTTPS decryption works very much like the CA that you have - except the WSA makes server certificates on the fly, spoofing the real server certificate's data.

The only way for you to use your own "trusted" certificate, is to do one of the following:

1. Obtain both the public and private keys for your CA and import them into the WSA.

Since this seems to not be an option for you..

2. Have a 'child' Intermediate CA cert signed by your root CA and import the public and private keys of the intermediate cert into the WSA.

This will create a chain of trust so that all server certs created by the WSA are trusted by the Intermediate Certificate. The Intermediate certificate is trusted by your Root and therefor the chain of trust is valid.

Corey OBrien · ‎03-09-2011

Ok, I'm with you on option two. The problem is that when I request a certificate and choose to make the key exportable (Microsoft CA), it issues the key in a .pvk format which Ironport doesn't like. Is there an easy way to convert it to the regular .key format. Openssl doesn't seem to be able to do it. Am I missing an obvious way to do this?

Thanks.

johanssen · ‎02-27-2009

Hi Josh,

you wrote:
2. Have a 'child' Intermediate CA cert signed by your root CA and import the public and private keys of the intermediate cert into the WSA.

I forwarded your answer to our cert "gurus" and they are not able(?) to give me the information needed nor to create the root certs.

Our support line told me I'd have to set up a Microsoft Windows server, activate AD and then cert services etc... I cant believe that this is the only way...

I tried to convert the root certificate (the self made one from the WSA) into a cert request and get this signed by our CA. Problem is that the encryption is only 1024 bytes and our CA needs at least 2048.

Should I follow instead OpenSSL instructions to create an intermediate CA cert? I'm not a certificate expert so I'm not sure if this is the right way...

Regards
Peter

jowolfer · ‎02-27-2009

If you have the root certificate and private key, you can use OpenSSL to generated an intermediate signing certificate.

I've gotten these commands to work, but it's not always so simple. I seem to always run into snags when using OpenSSL. I won't really be able to help much beyond these commands.

:: Generate Intermediate private key + CSR and sign it
openssl genrsa -des3 -out intermediate.key 2048

openssl req -new -sha1 -key intermediate.key -out intermediate.csr

openssl ca -extensions v3_ca -days 365 -out intermediate.cer -in intermediate.csr -config openssl.cnf

openssl ca -extensions v3_ca -key ca.key -cert ca.cer -days 365 -out intermediate.cer -in intermediate.csr -config openssl.cnf