topic Request Sub-CA-Certificate for Ironport WSA in Network Security

Request Sub-CA-Certificate for Ironport WSA

swiss_ewok — Fri, 21 Feb 2020 12:25:11 GMT

How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.

Thanks for your help.

Request Sub-CA-Certificate for Ironport WSA

swiss_ewok — Mon, 08 Aug 2011 10:25:21 GMT

Here is the solution for this question:

The steps to use the sample inf file are:

run the command: certreq.exe -new certreq.inf cacert.req
submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
install the certificate by running the command: certreq.exe -accept newcacer.cer
export the certificate to a PFX file including the private key
using openssl convert the PFX file to PEM format with the following steps:

* extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts

* extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts

* remove the password from the private key file:
openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem

That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).

Sample for the INF-File:

*******************************

[Version]

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"

[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"

[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************

Request Sub-CA-Certificate for Ironport WSA

Jeffrey Ness — Tue, 22 Nov 2011 19:28:14 GMT

Thank you very much for posting this. I am trying to follow your instructions, but when I run step 1 using the INF provided I get the error:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Request Sub-CA-Certificate for Ironport WSA

Jeffrey Ness — Tue, 22 Nov 2011 20:02:51 GMT

I found the answer to my question on Microsoft's site. Windows 2003 doesn't support text based OID comments. It needs to be base64 (or use Windows 2008 or 2008 R2).

Thanks a ton for this post! I

Jeff Ferrell — Thu, 10 Jul 2014 19:16:41 GMT

Thanks a ton for this post!

I'd like to add that since certreq is way different than openssl cfg file format, I'd post what I used to get more than the CN to show up.

Subject = "CN=wsa.company.com,OU=IT,O=My FQDN of Company,L=My City,S=Virginia,C=US"