jowolfer Wed, 08/19/2009 - 15:15


You cannot generate a CSR from the WSA.

It's not clear from your post as to exactly what you need the certificate for.

If you are trying to use a specific certificate to secure the WSA HTTPS GUI, you can import your own server certificate using the CLI -> certconfig command.

If you're referring to the WSA decryption certificate, you'll need to generate a Root certificate or intermediate certificate and key from your corporate CA server and import them in the WSA GUI in the HTTPS service config.

horol_ironport Wed, 08/19/2009 - 15:43

I thought WSA decryption certificate.

OK, one possibility is import my corporate CA root certificate, because it is well-know for my clients (broswers). But it has one security issue, I must import to WSA private keys and I don't want it.

I think, better is generate certificate for WSA using my weel-know corporate CA. In this case will be certificate trusted for all clients and it has no security issue.

My question was to second part. If WSA can't generate CSR I will generate RSA keys and CSR on another machine (for example any linux) and my corporate CA will generate certificate for WSA. After then I will import private key with WSA cert to WSA. (and of course private key from linux will be deleted and never used for other purpose as WSA).

It's clear now?


jowolfer Thu, 08/20/2009 - 17:29


Yes, the process that you talk about will work. You'll need to create a private and public (CSR) key pair and sign the CSR using your trusted root CA.

You will need to make sure that the CSR generated is for an intermediate root certificate. This is done via the extensions. Basic constraints will need to be set to Subject Type=CA.

horol_ironport Thu, 08/20/2009 - 21:36

That means, WSA cannot generate CSR (answer to my first question). There is only one possibility: I must generate CSR on different place and next import private key and SSL cert to WSA. Sure?

jowolfer Fri, 08/21/2009 - 15:44

You are correct.

The WSA cannot generate a key and CSR. It will only accept importing the signed key pair.


This Discussion