2048 bit key for IronPort WSA for HTTPS proxy

ccsipaul01 · ‎04-28-2013

Hello,

I was recently provided with the following information below.

"The feature request (ID) referenced is for the WSA generated certificates. Currently the certs generated are 1024 bits and the ability to generate 2048 bit certs has been requested.

If a 2048 bit root cert from a Local CA is created, it can be uploaded along with the private key via the ‘Use Uploaded Certificate and Key’ option.”

So we DO Support installing 2048 bit certificates generated by another source

Note: It has been reported that 2048 bit certs can degrade the WSA performance by up to 75% in 7.5."

Looking for anyone who has successfully done this and to please provide me with pointers. If the WSA does not generate the CSR, how can I bind the certificate afterward?

Thanks in advance!

Paul

Ken Stieers · ‎04-29-2013

Paul,

Get OpenSSL from SourceForge.

This will generate a new key and the CSR (you'll be prompted for the various fields...)

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

(or use the command line generated with this tool https://www.ssl247.com/support/tools/openssl-csr-wizard)

That will create 2 files, the CSR file and the KEY.

Send the CSR in, get your cert...

You'll need to decrypt the key before you can upload it to the WSA.

openssl rsa -in privatekey-encrypted.key -out private.key

Upload the cert and the key, and you're set...

You could also use IIS to generate the CSR, import the cert as you normally would, then export the cert as a Pfx file. Then you'd have to use OpenSSL to pull it apart:

openssl pkcs12 -in -nocerts -out privatekey-encrypted.key

You will be prompted for "Enter Import Password". This is the password created in step 11 above.

You will also be prompted for "Enter PEM pass phrase". The is the encryption password (used below).

This will create the encrypted private key file named "privatekey-encrypted.key"

To create a decrypted version of this key, use the following command:

openssl rsa -in privatekey-encrypted.key -out private.key

ccsipaul01 · ‎04-29-2013

Ken,

Thank you for the detailed explanation. I will test this today or tomorrow.

Appreciate your timely reply!

Paul

ccsipaul01 · ‎05-13-2013

Hi Ken

Just to let you know I have not yet tried this solution.

Should have time this week.

Thanks!

Erik Dahle · ‎08-20-2013

Hi Ken,

I've got the same issue, but when I used the openssl command provided, I get this error when trying to upload the key and certificate:

Error — Certificate upload failed. The certificate file appears to be a server certificate. A root signing certificate is required.

Thanks

jiyoung Kim · ‎04-16-2014

after you generated CSR and private key, where did you sign your CSR, and what type of certificate is it ?

WSA only supports root signing certificate which is something like subordinate certificate authority or trusted certificate authority. not the server certificate which is referring web server certificate.

as far as I know, the public certificate authority does not sign us as signing certificate or root certificate for security reasons.

This is what I am struglling with too.

Artur Nowicki · ‎03-31-2014

Hi Paul

Little bit late for a response, but you could try the following commands:

Generate the key:

openssl genrsa -des3 -out cakey.pem 2048

Generate the certificate (Valid for 10 Years):

openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650

Remove the passphrase from the key:

openssl rsa -in cakey.pem -out cakey_nopass.pem

Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.

Still, be aware about the performance impact caused by 2048bit certificate.

BR,
Artur

Rick Williams · ‎09-09-2014

I thought I'd just add my solution to this as I've just gone through the pain of creating this key and the other two (Management Interface and Forward Proxy Mode).

Note: I have created this to work with an internal Microsoft Certificate Server on our domain. The certificates were created using OpenSSL and CertSrv

Credit to Jeff who posted on Byte of IT where I took some information from http://byteof.it/?p=315

Step 1 - GENERATE ROOT CERTIFICATE

Create the key and request file:

openssl req -new -newkey rsa:2048 -nodes -keyout WSA-ROOT.encrypted.key -out WSA-ROOT.req

Submit the request to CertSrv (check your Subordinate CA Template is present and it's alias is SubCA)

certreq -submit -attrib "CertificateTemplate:SubCA" WSA-ROOT.req

Login to the Certificate Authority and approve the certificate from the Pending Requests.

Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Subordinate Certification Authority (SubCA)).

Open the certificate, go to the Details tab and click on "Copy to File".

Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-ROOT.cer

Convert the key from encrypted format

openssl rsa -in WSA-ROOT.encrypted.key -out WSA-ROOT.key

On the WSA GUI goto

Security Services > HTTPS Proxy > HTTPS Proxy Settings > Edit Settings > Root Certificate for Signing

Certificate File: WSA-ROOT.cer

Key File: WSA-ROOT.key

Upload Files

Submit

You should now have a working Root Certificate.

Step 2 - GENERATE FORWARD PROXY MODE CERTIFICATE

Create the key and request file:

openssl req -new -newkey rsa:2048 -nodes -keyout WSA-FwdPr.encrypted.key -out WSA-FwdPr.req

Fill in the details is asks for.

Submit the request to CertSrv (check your Web Server is present and it's alias is WebServer)

certreq -submit -attrib "CertificateTemplate:WebServer" WSA-FwdPr.req

Login to the Certificate Authority and approve the certificate from the Pending Requests.

Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Web Server(WebServer)).

Open the certificate, go to the Details tab and click on "Copy to File".

Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-FwdPr.cer

Convert the key from encrypted format

openssl rsa -in WSA-FwdPr.encrypted.key -out WSA-FwdPr.key

On the WSA GUI goto

Network > Authentication > Forward Proxy Mode Authentication Settings > Advanced

Certificate File: WSA-ROOT.cer

Key File: WSA-ROOT.key

Upload Files

Submit

Step 3 - GENERATE HTTPS MANAGEMENT CERTIFICATE

Create the key and request file:

openssl req -new -newkey rsa:2048 -nodes -keyout WSA-Mgmt.encrypted.key -out WSA-Mgmt.req

Fill in the details is asks for.

Submit the request to CertSrv (check your Web Server is present and it's alias is WebServer)

certreq -submit -attrib "CertificateTemplate:WebServer" WSA-Mgmt.req

Login to the Certificate Authority and approve the certificate from the Pending Requests.

Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Web Server(WebServer)).

Open the certificate, go to the Details tab and click on "Copy to File".

Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-Mgmt.cer

Convert the key from encrypted format

openssl rsa -in WSA-Mgmt.encrypted.key -out WSA-Mgmt.key

Now login to the console on the WSA Appliance and type CERTCONFIG

then SETUP

Open WSA-Mgmt.cer in a text editor and then paste in the contents WSA-Mgmt.cer to the console followed by a "." on the next line.

Open WSA-Mgmt.key in a text editor and then paste in the contents of WSA-Mgmt.key to the console followed by a "." on the next line.

If you wish you can add an intermediate (I did).

Type COMMIT to save.

I hope this is of some use to someone out there. Odds are that when I have to renew again next year I'll be hunting for my post.

Darren Lynn · ‎12-03-2014

This is some great information, but has anyone done this using a public CA, not a Microsoft CA server?

If so, can anyone suggest the best place to get this intermediate certificate that is signed by the CSR and Key generated for the WSA?

Cheers

Darren

Dominick Converse · ‎05-11-2015

I am trying to do the same thing and to date I have been unable to find a workable solution. I submit the CSR I create using OpenSSL to my public CA for signing and then it is rejected by the WSA. I need to find a workable solution for my environment. Pushing a certificate to over 100k workstations is not a good solution.

Thanks

Dominick

rps.soares · ‎04-26-2018

Any Update on this Topic?

on our case, web traffic managed by WSA covers employees and visitors.. for employees, the Self-Signed Certificate works fine and has been applied, via GPO, distributing certificates to extensions under MSFT AD. However, visitors are receiving the "invalid certificate message". Any tip on it?

We've been trying to generate a public SSL certificate using GoDaddy, and, no success. However, we're still trying to find a solution that visitors, using company WebAccess, can access HTTPS pages without receiving disturbing messages.

Any update? Any idea? take care and thanks.

Erik Dahle · ‎02-16-2015

Just one additional question, as 2048 bit certificates is now default in 8.5.

If user is accessing facebook, the proxy will generate a cert for facebook.

Will this cert be cached? For how long?