Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to setup certificate for HTTPS proxy on WSA

Hi, I'm trying to install the certificate for HTTPS Proxy on WSA.

 

the environment is not using private CA so no options for this.

 

I was going to use third party certificate like verisign, but they don't allow to use 1024 bit CSR which WSA is generating.

 

then, I have only option to upload certificate and key.

 

 

 

I have trusted certificate, but do not have the matched key. is there anyway I can get it ?

 

also, the certificate has to be a signing certification, is that mean the certificate is root certificate or trusted certificate ??

 

then How do I get the key for it ?

 

Thank you.

  • Web Security
3 REPLIES
Cisco Employee

Hi,The certificate required

Hi,

The certificate required in the WSA for HTTPS proxy is root certificate.

Please see the previous discussion about the same topic

 

https://supportforums.cisco.com/discussion/11723386/how-setup-ssl-certificate-ironport-wsa

 

Thanks,

Donny

 

Cisco Employee

Hi

Hi

Posted already in some other thread, but repeating here.

You could try the following steps (with openssl):

 

Generate the key:

openssl genrsa -des3 -out cakey.pem 2048

Generate the certificate (Valid for 10 Years):

openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650

Remove the passphrase from the key:

openssl rsa -in cakey.pem -out cakey_nopass.pem

Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.

Be aware about the performance impact caused by 2048bit certificate. It may influence it a lot.

BR,
Artur

New Member

I assume the openssl commands

I assume the openssl commands are to create self-signed certificate. in order not to show endusers certificate error, I have to deploy this certificate. there is no way to do it.

Thats why I came up with getting signed by public certificate authorities such as verisign, commodo, and so on.

However, I figured the public certificate authorities does not sign as root certificate.

419
Views
0
Helpful
3
Replies
This widget could not be displayed.