Do I understand the question

mbaker33 · ‎06-24-2014

Hello,

I have an internal Windows CA that we would like to use for SSL/HTTPS decryption within PRSM. I have attempted to export/import all of the different methods I can think of, but I can't seem to get a combination that works with PRSM.

Does anyone have any input, or an article that details the steps for doing so? I've used OpenSSL before for similar things, but for some reason it seems like PRSM is a bit more fussy.

Thanks in advance.

Mark

Marvin Rhoads · ‎06-24-2014

Do I understand the question is how to issue PRSM a certificate using your internal Windows CA (who is a trusted root CA for your users) so that it can apply a decryption policy for SSL traffic without the users having to accept / import and new certificates in to their trusted certificate store?

If so, are you following the process documented here?

mbaker33 · ‎07-07-2014

Hi Marvin,

Thanks for the reply, I've been on vacation for 10 days and just getting back to this now.

You are correct, that's exactly what I am trying to do. I did find that document, but I am having a hard time getting the format correct for the import to work. Should I be creating a certificate within IIS, and then exporting it with the private key and importing it into PRSM?

Thanks,

Mark

mbaker33 · ‎07-07-2014

The thing that confuses me is this line:

"If you request a new certificate from a CA, ensure that you request a certificate that is itself a Certificate Authority. In other words, you need to have a certificate that is enabled for issuing additional “child” certificates."

I'm not sure how to do this, as I've never had to do so.

Thanks,

Mark

Marvin Rhoads · ‎07-07-2014

I believe, to put it in Microsoft's terms, that they want you to issue the CX a certificate using the "subordinate CA" template available on Microsoft's Active Directory Certificate Services' terminology (link to Technet reference).

Windows Internal CA and PRSM