https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019396#M7185 <P>Hi Pradip,</P> <P>Watch the video in the following link, there are some parameters (in blue color) you should take in consideration while signing the CSR by your CA.</P> <P>https://supportforums.cisco.com/video/11933356/steps-enable-https-proxy-wsa-certificate-signing-request-csr-option</P> <P></P> <P><STRONG>To request a certificate by using a PKCS&nbsp;#10 or PKCS&nbsp;#7 file </STRONG></P> <OL class="ordered"> <LI> <P>Open a Web browser.</P> </LI> <LI> <P>Open https://<EM>servername</EM>/certsrv, where <EM>servername</EM> is the name of the Web server hosting the CA Web enrollment pages.</P> </LI> <LI> <P>Click <STRONG>Request a certificate</STRONG>, and then click <STRONG>Advanced certificate request</STRONG>.</P> </LI> <LI> <P>Click <SPAN style="color: #0000ff;"><STRONG>Submit a certificate request using a base-64-encoded CMC or PKCS&nbsp;#10 file</STRONG> or </SPAN><STRONG><SPAN style="color: #0000ff;">Submit a renewal request by using a base-64-encoded PKCS&nbsp;#7</SPAN> file</STRONG>.</P> </LI> <LI> <P>In Notepad, click <STRONG>File</STRONG>, click <STRONG>Open</STRONG>, select the PKCS&nbsp;#10 or PKCS&nbsp;#7 file, click <STRONG>Edit</STRONG>, click <STRONG>Select all</STRONG>, click <STRONG>Edit</STRONG>, and then click <STRONG>Copy</STRONG>. On the Web page, click in the <STRONG>Saved request</STRONG> box. Click <STRONG>Edit</STRONG>, and then click <STRONG>Paste</STRONG> to paste the contents of the certificate request into the box.</P> </LI> <LI> <P>Choose <SPAN style="color: #0000ff;"><STRONG>Subordinate CA</STRONG></SPAN> as the certificate template you want to use.</P> </LI> <LI> <P>Click <STRONG>Submit</STRONG>.</P> </LI> </OL> <P>Regards!</P> <P>Jocelyn</P> Mon, 13 Mar 2017 10:22:05 GMT ZINSOU ADAM JOCELYN ADISSO 2017-03-13T10:22:05Z https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019392#M7181 <P>we recently installed Cisco WSA S380 in our environment. We enabled https proxy and generate CSR and send it to sign when we got the signed certificate and tried to upload we got error mentioning " Error — Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required". I have uploaded the root CA as well but didn't find any proper solution to solve this.</P> <P>Looking for your help.</P> <P></P> <P>Thank you in advance.</P> <TABLE height="12" width="21" cellspacing="0" cellpadding="0" border="0"> <TBODY> <TR valign="top"> <TD nowrap="nowrap"></TD> <TD style="padding: 0 6px 0 3px;"></TD> <TD id="action-results-message"></TD> </TR> </TBODY> </TABLE> Tue, 07 Mar 2017 06:33:42 GMT https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019392#M7181 Pradip Upreti 2017-03-07T06:33:42Z https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019393#M7182 <P>Hi Pradip,</P> <P></P> <P>It seems you have used an incorrect template to generate the certificate.</P> <P>On the CA, make sure you&nbsp;use the certificate template as a "subordinate CA" not the 'web server' template.</P> <P></P> <P>Regards,</P> <P>Kush</P> Tue, 07 Mar 2017 10:46:36 GMT https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019393#M7182 kushsriva 2017-03-07T10:46:36Z https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019394#M7183 <P>Hi Kush,</P> <P>Thanks for the reply, I will contact my certificate provider for the same hope this will solve our issue.</P> <P></P> <P>Regards,</P> <P>Pradip</P> Wed, 08 Mar 2017 04:30:11 GMT https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019394#M7183 Pradip Upreti 2017-03-08T04:30:11Z https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019395#M7184 <P>I am unaware of any CAs (GlobalSign, Verisign, etc) that will issue the type of Certificate that you need. In order to do decryption you need a CA Cert or an Intermediate CA Cert.&nbsp;</P> <P><BR />GlobalSign states this...</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;"><A href="https://www.globalsign.com/en/certificate-authority-root-signing/">https://www.globalsign.com/en/certificate-authority-root-signing/</A></SPAN></P> <P><STRONG>Trusted Root is a select service with strict requirements. <SPAN style="text-decoration: underline;">Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic.</SPAN></STRONG></P> <P><STRONG></STRONG>You may be better served by generating a Self Signed Cert on the WSA or generating an Intermediate Cert from your own CA if you have a PKI infrastructure setup.&nbsp;</P> <P></P> <P>Hope this helps.&nbsp;</P> <P>Please rate helpful replies. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> &nbsp;</P> <P></P> <P><STRONG> </STRONG></P> Thu, 09 Mar 2017 21:00:56 GMT https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019395#M7184 Tim Glen 2017-03-09T21:00:56Z https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019396#M7185 <P>Hi Pradip,</P> <P>Watch the video in the following link, there are some parameters (in blue color) you should take in consideration while signing the CSR by your CA.</P> <P>https://supportforums.cisco.com/video/11933356/steps-enable-https-proxy-wsa-certificate-signing-request-csr-option</P> <P></P> <P><STRONG>To request a certificate by using a PKCS&nbsp;#10 or PKCS&nbsp;#7 file </STRONG></P> <OL class="ordered"> <LI> <P>Open a Web browser.</P> </LI> <LI> <P>Open https://<EM>servername</EM>/certsrv, where <EM>servername</EM> is the name of the Web server hosting the CA Web enrollment pages.</P> </LI> <LI> <P>Click <STRONG>Request a certificate</STRONG>, and then click <STRONG>Advanced certificate request</STRONG>.</P> </LI> <LI> <P>Click <SPAN style="color: #0000ff;"><STRONG>Submit a certificate request using a base-64-encoded CMC or PKCS&nbsp;#10 file</STRONG> or </SPAN><STRONG><SPAN style="color: #0000ff;">Submit a renewal request by using a base-64-encoded PKCS&nbsp;#7</SPAN> file</STRONG>.</P> </LI> <LI> <P>In Notepad, click <STRONG>File</STRONG>, click <STRONG>Open</STRONG>, select the PKCS&nbsp;#10 or PKCS&nbsp;#7 file, click <STRONG>Edit</STRONG>, click <STRONG>Select all</STRONG>, click <STRONG>Edit</STRONG>, and then click <STRONG>Copy</STRONG>. On the Web page, click in the <STRONG>Saved request</STRONG> box. Click <STRONG>Edit</STRONG>, and then click <STRONG>Paste</STRONG> to paste the contents of the certificate request into the box.</P> </LI> <LI> <P>Choose <SPAN style="color: #0000ff;"><STRONG>Subordinate CA</STRONG></SPAN> as the certificate template you want to use.</P> </LI> <LI> <P>Click <STRONG>Submit</STRONG>.</P> </LI> </OL> <P>Regards!</P> <P>Jocelyn</P> Mon, 13 Mar 2017 10:22:05 GMT https://community.cisco.com/t5/web-security/cisco-wsa-https-proxy-certificate-issue/m-p/3019396#M7185 ZINSOU ADAM JOCELYN ADISSO 2017-03-13T10:22:05Z