04-28-2013 09:39 AM
Hello,
I was recently provided with the following information below.
"The feature request (ID) referenced is for the WSA generated certificates. Currently the certs generated are 1024 bits and the ability to generate 2048 bit certs has been requested.
If a 2048 bit root cert from a Local CA is created, it can be uploaded along with the private key via the ‘Use Uploaded Certificate and Key’ option.”
So we DO Support installing 2048 bit certificates generated by another source
Note: It has been reported that 2048 bit certs can degrade the WSA performance by up to 75% in 7.5."
Looking for anyone who has successfully done this and to please provide me with pointers. If the WSA does not generate the CSR, how can I bind the certificate afterward?
Thanks in advance!
Paul
04-29-2013 08:06 AM
Paul,
Get OpenSSL from SourceForge.
This will generate a new key and the CSR (you'll be prompted for the various fields...)
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
(or use the command line generated with this tool https://www.ssl247.com/support/tools/openssl-csr-wizard)
That will create 2 files, the CSR file and the KEY.
Send the CSR in, get your cert...
You'll need to decrypt the key before you can upload it to the WSA.
openssl rsa -in privatekey-encrypted.key -out private.key
Upload the cert and the key, and you're set...
You could also use IIS to generate the CSR, import the cert as you normally would, then export the cert as a Pfx file. Then you'd have to use OpenSSL to pull it apart:
openssl pkcs12 -in
You will be prompted for "Enter Import Password". This is the password created in step 11 above.
You will also be prompted for "Enter PEM pass phrase". The is the encryption password (used below).
This will create the encrypted private key file named "privatekey-encrypted.key"
To create a decrypted version of this key, use the following command:
openssl rsa -in privatekey-encrypted.key -out private.key
04-29-2013 09:23 AM
Ken,
Thank you for the detailed explanation. I will test this today or tomorrow.
Appreciate your timely reply!
Paul
05-13-2013 06:45 AM
Hi Ken
Just to let you know I have not yet tried this solution.
Should have time this week.
Thanks!
08-20-2013 04:22 AM
Hi Ken,
I've got the same issue, but when I used the openssl command provided, I get this error when trying to upload the key and certificate:
Error — Certificate upload failed. The certificate file appears to be a server certificate. A root signing certificate is required.
Thanks
04-16-2014 02:23 AM
after you generated CSR and private key, where did you sign your CSR, and what type of certificate is it ?
WSA only supports root signing certificate which is something like subordinate certificate authority or trusted certificate authority. not the server certificate which is referring web server certificate.
as far as I know, the public certificate authority does not sign us as signing certificate or root certificate for security reasons.
This is what I am struglling with too.
03-31-2014 01:27 AM
Hi Paul
Little bit late for a response, but you could try the following commands:
Generate the key:
openssl genrsa -des3 -out cakey.pem 2048
Generate the certificate (Valid for 10 Years):
openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650
Remove the passphrase from the key:
openssl rsa -in cakey.pem -out cakey_nopass.pem
Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.
Still, be aware about the performance impact caused by 2048bit certificate.
BR,
Artur
09-09-2014 07:27 AM
I thought I'd just add my solution to this as I've just gone through the pain of creating this key and the other two (Management Interface and Forward Proxy Mode).
Note: I have created this to work with an internal Microsoft Certificate Server on our domain. The certificates were created using OpenSSL and CertSrv
Credit to Jeff who posted on Byte of IT where I took some information from http://byteof.it/?p=315
Step 1 - GENERATE ROOT CERTIFICATE
Create the key and request file:
openssl req -new -newkey rsa:2048 -nodes -keyout WSA-ROOT.encrypted.key -out WSA-ROOT.req
Submit the request to CertSrv (check your Subordinate CA Template is present and it's alias is SubCA)
certreq -submit -attrib "CertificateTemplate:SubCA" WSA-ROOT.req
Login to the Certificate Authority and approve the certificate from the Pending Requests.
Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Subordinate Certification Authority (SubCA)).
Open the certificate, go to the Details tab and click on "Copy to File".
Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-ROOT.cer
Convert the key from encrypted format
openssl rsa -in WSA-ROOT.encrypted.key -out WSA-ROOT.key
On the WSA GUI goto
Security Services > HTTPS Proxy > HTTPS Proxy Settings > Edit Settings > Root Certificate for Signing
Certificate File: WSA-ROOT.cer
Key File: WSA-ROOT.key
Upload Files
Submit
You should now have a working Root Certificate.
Step 2 - GENERATE FORWARD PROXY MODE CERTIFICATE
Create the key and request file:
openssl req -new -newkey rsa:2048 -nodes -keyout WSA-FwdPr.encrypted.key -out WSA-FwdPr.req
Fill in the details is asks for.
Submit the request to CertSrv (check your Web Server is present and it's alias is WebServer)
certreq -submit -attrib "CertificateTemplate:WebServer" WSA-FwdPr.req
Login to the Certificate Authority and approve the certificate from the Pending Requests.
Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Web Server(WebServer)).
Open the certificate, go to the Details tab and click on "Copy to File".
Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-FwdPr.cer
Convert the key from encrypted format
openssl rsa -in WSA-FwdPr.encrypted.key -out WSA-FwdPr.key
On the WSA GUI goto
Network > Authentication > Forward Proxy Mode Authentication Settings > Advanced
Certificate File: WSA-ROOT.cer
Key File: WSA-ROOT.key
Upload Files
Submit
Step 3 - GENERATE HTTPS MANAGEMENT CERTIFICATE
Create the key and request file:
openssl req -new -newkey rsa:2048 -nodes -keyout WSA-Mgmt.encrypted.key -out WSA-Mgmt.req
Fill in the details is asks for.
Submit the request to CertSrv (check your Web Server is present and it's alias is WebServer)
certreq -submit -attrib "CertificateTemplate:WebServer" WSA-Mgmt.req
Login to the Certificate Authority and approve the certificate from the Pending Requests.
Navigate to Issued Certificates and find your new certificate (Check the template is showing as "Web Server(WebServer)).
Open the certificate, go to the Details tab and click on "Copy to File".
Export the key as Base-64 encoded X.509 (.CER) - Save to same directory as your key and req file as WSA-Mgmt.cer
Convert the key from encrypted format
openssl rsa -in WSA-Mgmt.encrypted.key -out WSA-Mgmt.key
Now login to the console on the WSA Appliance and type CERTCONFIG
then SETUP
Open WSA-Mgmt.cer in a text editor and then paste in the contents WSA-Mgmt.cer to the console followed by a "." on the next line.
Open WSA-Mgmt.key in a text editor and then paste in the contents of WSA-Mgmt.key to the console followed by a "." on the next line.
If you wish you can add an intermediate (I did).
Type COMMIT to save.
I hope this is of some use to someone out there. Odds are that when I have to renew again next year I'll be hunting for my post.
12-03-2014 04:17 PM
This is some great information, but has anyone done this using a public CA, not a Microsoft CA server?
If so, can anyone suggest the best place to get this intermediate certificate that is signed by the CSR and Key generated for the WSA?
Cheers
Darren
05-11-2015 08:58 AM
I am trying to do the same thing and to date I have been unable to find a workable solution. I submit the CSR I create using OpenSSL to my public CA for signing and then it is rejected by the WSA. I need to find a workable solution for my environment. Pushing a certificate to over 100k workstations is not a good solution.
Thanks
Dominick
04-26-2018 08:11 AM
Any Update on this Topic?
on our case, web traffic managed by WSA covers employees and visitors.. for employees, the Self-Signed Certificate works fine and has been applied, via GPO, distributing certificates to extensions under MSFT AD. However, visitors are receiving the "invalid certificate message". Any tip on it?
We've been trying to generate a public SSL certificate using GoDaddy, and, no success. However, we're still trying to find a solution that visitors, using company WebAccess, can access HTTPS pages without receiving disturbing messages.
Any update? Any idea? take care and thanks.
02-16-2015 01:47 AM
Just one additional question, as 2048 bit certificates is now default in 8.5.
If user is accessing facebook, the proxy will generate a cert for facebook.
Will this cert be cached? For how long?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide