Certificate Question

Weaksid77 · ‎01-13-2012

Hello Community,

We are currently using IronPort S370 as our web security. The certificate we are using is just the one that was generated by IronPort in the format of .pem. The certifcate is already installed on 2000+ PCs. We are currently testing out android devices on the network. My phone (Droid X w/ 2.3.3) works fine with the certificate. However, when trying out the Xoom tablet with OS 3.2.4, it will only accept a PKCS#12 certifcate. If we would create a new certificate with openSSL and load it into IronPort, how bad will it mess things up? We are expecting that none of the machines will pass through till they have the new certificate. Is there any way to do a dual certificate and migrate people over slowly to the PKCS#12 certificate? Just looking for a possible solution to this mess. Any help would be appreciated.

Thank You,

Tom

Ken Stieers · ‎01-13-2012

Convert the PEM to a PKCS#12, and use the same cert for the Xooms.

Taken from http://www.sslshopper.com/article-most-common-openssl-commands.html

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you've already deployed the cert, it would be CRAZY to redeploy a new cert... you'd have to do it all over again anyway...

Weaksid77 · ‎01-13-2012

Ken,

Thanks for the quick response.

By all the reading I've been reading and your post, when the certifcate was generated on IronPort, it created the certificate and a key. However, you can only download the certificate to distribute to the computers. The downloaded certificate is only in a pem format, however I can convert to all types of other certicate formats without the key. For the Xoom, it requires the PKCS#12 format which includes the key also. Looking at everything, once I can find the key IronPort made, I can create the PKCS#12 certificate using a machine with openSSL. Is there a location this key can be found or a way to export it? I've been unable to find how to do that through the Manual. Searching the web more to see I might be able to find a way.

Thanks,

Tom

Ken Stieers · ‎01-13-2012

Need more coffee... Sorry, I spaced that the key you're using is the one generated by the Ironport, so you won't have access to the private key, and I couldn't find any way to get to it either.

And as far as I can tell, you can't use mulitple certs at the same time.

TAC may be able to help...

Jeffrey Ness · ‎01-13-2012

You shouldn't be including the private key to the end user devices as this would compromise the integrity of your certificate. They should only need the PUBLIC key to be able trust that certification authority. I did see your issue in Windows of not being able to export as a PKCS#12 without having the private key. I did find this article:

http://forums.androidcentral.com/motorola-xoom/74766-how-install-certificates-xoom-including-root-certs.html

For all other certificates including root certificates:
Export as "Base-64 encoded X.509 (.CER)" certificate. Again the Xoom will not pick this up, so rename *.cer to *.crt

Now copy the *p12 and *.crt files to the root sdcard folder or /mnt/sdcard/ folder (or using Windows Under \Device Storage\)

Now disconnect the cable (must be done)

Now go to Settings->Location & Security->Install from USB storage (under Credential Storage)

Select each one, one by one and they will disappear from the sdcard/ as they are installed.

I tried renaming them using a file explorer as well as moving them using the file explorer and those did not get recognized by the Xoom. I installed a self-signed root certificate without a problem.