cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6720
Views
0
Helpful
4
Replies
swiss_ewok
Beginner

Request Sub-CA-Certificate for Ironport WSA

How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.

Thanks for your help.

4 REPLIES 4
swiss_ewok
Beginner

Here is the solution for this question:

The steps to use the sample inf file are:

  1. run the command: certreq.exe -new certreq.inf cacert.req
  2. submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  3. install the certificate by running the command: certreq.exe -accept newcacer.cer
  4. export the certificate to a PFX file including the private key
  5. using openssl convert the PFX file to PEM format with the following steps:

          * extract the certificate file (the signed public key) from the pfx file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts

          * extract private key from a pfx file and write it to PEM file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts

          * remove the password from the private key file:
            openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem

That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).

Sample for the INF-File:

*******************************

[Version]

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"

[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"

[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************

Thank you very much for posting this. I am trying to follow your instructions, but when I run step 1 using the INF provided I get the error:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

I found the answer to my question on Microsoft's site. Windows 2003 doesn't support text based OID comments. It needs to be base64 (or use Windows 2008 or 2008 R2).

Thanks a ton for this post!

 

I'd like to add that since certreq is way different than openssl cfg file format, I'd post what I used to get more than the CN to show up.

 

Subject = "CN=wsa.company.com,OU=IT,O=My FQDN of Company,L=My City,S=Virginia,C=US"

Content for Community-Ad