Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

WSA & CA Certificate Issue

we have 3 domain controllers with only 1 certificate authority where users should use it for ssl encryption , but end user devices ignore the CA and use the other public CAs instead .


also i couldn't enforce the end users through the GPO in the active directory to use only the CA certificate !

or even the Ironport port's certificate.

im done with the Ironport configuration and made it join into the domain.everything works fine on the Ironport.

i have noticed that the CA server is not active !can any help me please  im not sure what to do ?i need to make users use either wsa certificate or the ca certificate thanks .!


First a couple of things to

First a couple of things to clear up some misperceptions:

Clients don't "use" the CA, YOU use the CA to issue a cert that the clients trust.  If your CA is an "Enterprise" CA, your clients will already trust certs it issues.

Depending upon how the WSA is configured, not all transactions use the cert on the WSA.  For example, you may not decrypt sites with high reputation, so you'll see the sites own cert in that case.


So first off determine if your CA is an Enterprise CA:  Open the Certificate Authority MMC, if you see the "Certificate Templates" node, its an Enterprise CA.

Is it an Enterprise CA?

Did you issue a cert from you CA and put it on your WSA?





New Member

first thank you so much for

first thank you so much for your help :)

and yes its an Enterprise CA and i did issue a certificate from  the ca and uploaded it into the wsa with its

private key PEM format .

but even tho the clients still dont trust it ! you should get " Verified by your CA " up on the browser .i dont get that at all !

what i know is that clients should trust the CA certificate automatically as long as they are joined the domain .

any ideas ?


New Member

I just went thru this same

I just went thru this same thing recently by creating a 2048 certificate using OpenSSL and submitting the req to our Enterprise CA, then uploading the cert and the key to the Ironport.


One question I would have is what option did you select under Security Services/https proxy, edit settings for HTTPS Proxy settings and under Root Certificate for Signing. Did you select the option " use uploaded certificate and key" or did you use "use generated certificate and key" ?


Both allow you to upload a cert but the second option I think will require you to import the certificate on the client PCs while the first option will trust the certificate (Chrome or IE, but not on Firefox) as long as it is a domain PC.


I followed the instruction here and found them very helpful:


New Member

Thanks for your help . I went

Thanks for your help .


I went with  the option "used uploaded certificate and key "

i used the Open SSL to get the private key from the certificate , converted both to .PEM

and after that i did upload them into the WSA




Kindly please follow the

Kindly please follow the below link you will get successfully certificate import.


Cisco IronPort WSA: Configuring management and HTTPS proxy certificates 

New Member

not solved though , my main

not solved though , my main problem is with the Certificate authority it self ! not with the WSA

windows machine don't trust the CA still

New Member

I have also used OpenSSL to

I have also used OpenSSL to generate my CSR and key, I submitted the CSR to my CA and they issue the signed cert back. I have been unable to load this cert and key into the WSA. It keeps telling me that this is a server certificate a signing certificate is required. I have been unable to get this to work or use any certificate that I generate. The only certificate and key that is seems to use is the one created by the WSA, which is rather weak on its cipher and options. I require a 2048-bit and SHA2(56) cert at a minimum for my environment. Any help is appreciated.




buying a server cert from a

buying a server cert from a public CA for a few hundred dollars won't work.  You need a cert that can sign other certs.   For every https site you access through the  WSA the WSA generates a cert for the transaction between the client and the WSA. A server cert can't do that ...

Youre asking your CA to provide you with a cert to sign certs that the rest of the world would trust... (e.g. because youre expecting your workstations to already trust these certs) .

Tell me a bit about your 100000 seats?  All WIndows? Mac? *nix?

If Windows, 1 domain? multiple?  Do you have an internal CA?


New Member

Mostly Windows. Multiple

Mostly Windows. Multiple domains. We do not have any internal CA's anymore. We use a public CA and preinstall the necessary certificates on all workstations when they are built. Any updates are done by GPO and they are limited. I am trying to take advantage of the public certificate that has been signed and issue on our behalf from our CA, in this instance it is Comodo. If we still had the internal PKI servers we could get around the issue but that does not exist anymore.

New Member

Thank you guys my main

Thank you guys my main problem has been solved with the CA .

it turned out that the CA doesnt work well and need to be activated


Thank you so much

CreatePlease to create content