cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6246
Views
0
Helpful
4
Replies
Highlighted
Beginner

Request Sub-CA-Certificate for Ironport WSA

How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.

Thanks for your help.

4 REPLIES 4
Beginner

Request Sub-CA-Certificate for Ironport WSA

Here is the solution for this question:

The steps to use the sample inf file are:

  1. run the command: certreq.exe -new certreq.inf cacert.req
  2. submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  3. install the certificate by running the command: certreq.exe -accept newcacer.cer
  4. export the certificate to a PFX file including the private key
  5. using openssl convert the PFX file to PEM format with the following steps:

          * extract the certificate file (the signed public key) from the pfx file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts

          * extract private key from a pfx file and write it to PEM file:
            openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts

          * remove the password from the private key file:
            openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem

That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).

Sample for the INF-File:

*******************************

[Version]

Signature="$Windows NT$"

[Strings]
CACN = "Issuing CA"

[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"

[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************

Beginner

Request Sub-CA-Certificate for Ironport WSA

Thank you very much for posting this. I am trying to follow your instructions, but when I run step 1 using the INF provided I get the error:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

certreq.inf

[Extensions] 2.5.29.19 = {text}ca=1&pathlength=0

Beginner

Request Sub-CA-Certificate for Ironport WSA

I found the answer to my question on Microsoft's site. Windows 2003 doesn't support text based OID comments. It needs to be base64 (or use Windows 2008 or 2008 R2).

Beginner

Thanks a ton for this post! I

Thanks a ton for this post!

 

I'd like to add that since certreq is way different than openssl cfg file format, I'd post what I used to get more than the CN to show up.

 

Subject = "CN=wsa.company.com,OU=IT,O=My FQDN of Company,L=My City,S=Virginia,C=US"