08-04-2011 10:29 PM - edited 02-21-2020 04:25 AM
How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
Thanks for your help.
08-08-2011 03:25 AM
Here is the solution for this question:
The steps to use the sample inf file are:
* extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
* extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
* remove the password from the private key file:
openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
Sample for the INF-File:
*******************************
[Version]
Signature="$Windows NT$"
[Strings]
CACN = "Issuing CA"
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************
11-22-2011 11:28 AM
Thank you very much for posting this. I am trying to follow your instructions, but when I run step 1 using the INF provided I get the error:
Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)
certreq.inf
[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0
Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)
certreq.inf
[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0
11-22-2011 12:02 PM
I found the answer to my question on Microsoft's site. Windows 2003 doesn't support text based OID comments. It needs to be base64 (or use Windows 2008 or 2008 R2).
07-10-2014 12:16 PM
Thanks a ton for this post!
I'd like to add that since certreq is way different than openssl cfg file format, I'd post what I used to get more than the CN to show up.
Subject = "CN=wsa.company.com,OU=IT,O=My FQDN of Company,L=My City,S=Virginia,C=US"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide