Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2293
Views
0
Helpful
6
Replies

can WSA generate CSR?

horol_ironport
Level 1
Level 1

‎08-18-2009 03:24 PM

I need generate SSL cert for WSA using our corporate CA. It's possible to generate ssl keys and CSR for CA on WSA?

martin

Labels:
0 Helpful
6 Replies 6

jowolfer
Level 1
Level 1

‎08-19-2009 03:15 PM

Martin,

You cannot generate a CSR from the WSA.

It's not clear from your post as to exactly what you need the certificate for.

If you are trying to use a specific certificate to secure the WSA HTTPS GUI, you can import your own server certificate using the CLI -> certconfig command.

If you're referring to the WSA decryption certificate, you'll need to generate a Root certificate or intermediate certificate and key from your corporate CA server and import them in the WSA GUI in the HTTPS service config.

0 Helpful

horol_ironport
Level 1
Level 1

‎08-19-2009 03:43 PM

Josh,
I thought WSA decryption certificate.

OK, one possibility is import my corporate CA root certificate, because it is well-know for my clients (broswers). But it has one security issue, I must import to WSA private keys and I don't want it.

I think, better is generate certificate for WSA using my weel-know corporate CA. In this case will be certificate trusted for all clients and it has no security issue.

My question was to second part. If WSA can't generate CSR I will generate RSA keys and CSR on another machine (for example any linux) and my corporate CA will generate certificate for WSA. After then I will import private key with WSA cert to WSA. (and of course private key from linux will be deleted and never used for other purpose as WSA).

It's clear now?

martin

0 Helpful

jowolfer
Level 1
Level 1

‎08-20-2009 05:29 PM

Martin,

Yes, the process that you talk about will work. You'll need to create a private and public (CSR) key pair and sign the CSR using your trusted root CA.

You will need to make sure that the CSR generated is for an intermediate root certificate. This is done via the extensions. Basic constraints will need to be set to Subject Type=CA.

0 Helpful

horol_ironport
Level 1
Level 1

‎08-20-2009 09:36 PM

That means, WSA cannot generate CSR (answer to my first question). There is only one possibility: I must generate CSR on different place and next import private key and SSL cert to WSA. Sure?

0 Helpful

jowolfer
Level 1
Level 1

‎08-21-2009 03:44 PM

You are correct.

The WSA cannot generate a key and CSR. It will only accept importing the signed key pair.

0 Helpful

daveofferman
Level 1
Level 1

‎10-21-2009 07:47 PM

Download OpenSSL to generate the CSRs.

0 Helpful
Customers Also Viewed These Support Documents