Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4846
Views
0
Helpful
5
Replies

3rd party cert on ironport

Justin Westover
Level 1
Level 1

‎02-02-2012 12:32 PM

Is it better to run your internal root cert on the ironport or can I place a 3rd party (verisign, godaddy) cert on ironport? If it is better to use a 3rd party cert, how do i create the CSR (certificate signing request) on ironport?

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-02-2012 01:43 PM

Justin,

I suspect that a 3rd party cert is technically better, you're not exposing your internal root to accidental mishandling...  but its nice, since 1, you have it already, 2 (assuming an AD integrated Enterprise Root) your workstations already trust it.

The Ironport won't create a key request.

Get OpenSSL, and use that to do the following:

     generate a private key          'openssl genrsa -out privkey.pem 2048

     generate a cert request        'openssl req -new -key privkey.pem -out cert.csr'

     If you have to decrypt your private key       'openssl rsa - in privkey.pem -out deckey.key

Upload the request to the SSL vendor, get your cert

Then upload the decrypted key and cert to the WSA.

Ken

0 Helpful

Justin Westover
Level 1
Level 1
In response to Ken Stieers

‎02-02-2012 01:53 PM

So what if i would like to use our internal root cert. I still need to create a cert for ironport right? then upload our root cert correct? that would complete the cert chain.

0 Helpful

Ken Stieers
VIP
VIP
In response to Justin Westover

‎02-02-2012 02:08 PM

If you put your internal root and key on the ironport, you don't HAVE to create a cert for the ironport.

If you do issue a cert for the ironport, you'll upload the cert, the key, and the intermediate chain as a trusted root.

0 Helpful

Justin Westover
Level 1
Level 1
In response to Ken Stieers

‎02-02-2012 02:21 PM

Do i place the enterprise root under the "HTTPS Proxy Settings" page or under the "Custom Root Authority Certificates" page? Both pages are located under Security Services->Https Proxy.

0 Helpful

Ken Stieers
VIP
VIP
In response to Justin Westover

‎02-02-2012 02:28 PM

If you're using it as the only cert, then put it in the Edit HTTPS Proxy Settings page, just below where you tell it to generate a selfsigned cert. 

If you generated one off of your cert authority, you'd put the root cert chain in the Custom Root Authority Certificates. (I think...)

Hmm... I may have exported the cert with all of the certs in cert path and uploaded that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents