Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7411
Views
0
Helpful
4
Replies

Request Sub-CA-Certificate for Ironport WSA

swiss_ewok
Level 1
Level 1

‎08-04-2011 10:29 PM - edited ‎02-21-2020 04:25 AM

How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.

Thanks for your help.

0 Helpful
4 Replies 4

swiss_ewok
Level 1
Level 1

‎08-08-2011 03:25 AM

Here is the solution for this question:

The steps to use the sample inf file are:

  1. run the command: certreq.exe -new certreq.inf cacert.req
  2. submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  3. install the certificate by running the command: certreq.exe -accept newcacer.cer
  4. export the certificate to a PFX file including the private key
  5. using openssl convert the PFX file to PEM format with the following steps:

          * extract the certificate file (the signed public key) from the pfx file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts

          * extract private key from a pfx file and write it to PEM file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts

          * remove the password from the private key file:
            openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem

That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).

Sample for the INF-File:

*******************************

[Version]

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"

[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"

[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************

0 Helpful

Jeffrey Ness
Level 1
Level 1
In response to swiss_ewok

‎11-22-2011 11:28 AM

Thank you very much for posting this. I am trying to follow your instructions, but when I run step 1 using the INF provided I get the error:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

0 Helpful

Jeffrey Ness
Level 1
Level 1
In response to Jeffrey Ness

‎11-22-2011 12:02 PM

I found the answer to my question on Microsoft's site. Windows 2003 doesn't support text based OID comments. It needs to be base64 (or use Windows 2008 or 2008 R2).

0 Helpful

Jeff Ferrell
Level 1
Level 1
In response to swiss_ewok

‎07-10-2014 12:16 PM

Thanks a ton for this post!

 

I'd like to add that since certreq is way different than openssl cfg file format, I'd post what I used to get more than the CN to show up.

 

Subject = "CN=wsa.company.com,OU=IT,O=My FQDN of Company,L=My City,S=Virginia,C=US"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card