topic 3rd party cert on ironport in Web Security

3rd party cert on ironport

Justin Westover — Thu, 02 Feb 2012 20:32:32 GMT

Is it better to run your internal root cert on the ironport or can I place a 3rd party (verisign, godaddy) cert on ironport? If it is better to use a 3rd party cert, how do i create the CSR (certificate signing request) on ironport?

Re: 3rd party cert on ironport

Ken Stieers — Thu, 02 Feb 2012 21:43:01 GMT

Justin,

I suspect that a 3rd party cert is technically better, you're not exposing your internal root to accidental mishandling... but its nice, since 1, you have it already, 2 (assuming an AD integrated Enterprise Root) your workstations already trust it.

The Ironport won't create a key request.

Get OpenSSL, and use that to do the following:

generate a private key 'openssl genrsa -out privkey.pem 2048

generate a cert request 'openssl req -new -key privkey.pem -out cert.csr'

If you have to decrypt your private key 'openssl rsa - in privkey.pem -out deckey.key

Upload the request to the SSL vendor, get your cert

Then upload the decrypted key and cert to the WSA.

Ken

3rd party cert on ironport

Justin Westover — Thu, 02 Feb 2012 21:53:54 GMT

So what if i would like to use our internal root cert. I still need to create a cert for ironport right? then upload our root cert correct? that would complete the cert chain.

Re: 3rd party cert on ironport

Ken Stieers — Thu, 02 Feb 2012 22:08:52 GMT

If you put your internal root and key on the ironport, you don't HAVE to create a cert for the ironport.

If you do issue a cert for the ironport, you'll upload the cert, the key, and the intermediate chain as a trusted root.

3rd party cert on ironport

Justin Westover — Thu, 02 Feb 2012 22:21:10 GMT

Do i place the enterprise root under the "HTTPS Proxy Settings" page or under the "Custom Root Authority Certificates" page? Both pages are located under Security Services->Https Proxy.

3rd party cert on ironport

Ken Stieers — Thu, 02 Feb 2012 22:28:45 GMT

If you're using it as the only cert, then put it in the Edit HTTPS Proxy Settings page, just below where you tell it to generate a selfsigned cert.

If you generated one off of your cert authority, you'd put the root cert chain in the Custom Root Authority Certificates. (I think...)

Hmm... I may have exported the cert with all of the certs in cert path and uploaded that.