cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4326
Views
0
Helpful
4
Replies

Cisco WSA https Proxy Certificate Issue

Pradip Upreti
Level 1
Level 1

we recently installed Cisco WSA S380 in our environment. We enabled https proxy and generate CSR and send it to sign when we got the signed certificate and tried to upload we got error mentioning " Error — Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required". I have uploaded the root CA as well but didn't find any proper solution to solve this.

Looking for your help.

Thank you in advance.

4 Replies 4

kushsriva
Level 1
Level 1

Hi Pradip,

It seems you have used an incorrect template to generate the certificate.

On the CA, make sure you use the certificate template as a "subordinate CA" not the 'web server' template.

Regards,

Kush

Hi Kush,

Thanks for the reply, I will contact my certificate provider for the same hope this will solve our issue.

Regards,

Pradip

I am unaware of any CAs (GlobalSign, Verisign, etc) that will issue the type of Certificate that you need. In order to do decryption you need a CA Cert or an Intermediate CA Cert. 


GlobalSign states this...

https://www.globalsign.com/en/certificate-authority-root-signing/

Trusted Root is a select service with strict requirements. Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic.

You may be better served by generating a Self Signed Cert on the WSA or generating an Intermediate Cert from your own CA if you have a PKI infrastructure setup. 

Hope this helps. 

Please rate helpful replies. :)  

Hi Pradip,

Watch the video in the following link, there are some parameters (in blue color) you should take in consideration while signing the CSR by your CA.

https://supportforums.cisco.com/video/11933356/steps-enable-https-proxy-wsa-certificate-signing-request-csr-option

To request a certificate by using a PKCS #10 or PKCS #7 file

  1. Open a Web browser.

  2. Open https://servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages.

  3. Click Request a certificate, and then click Advanced certificate request.

  4. Click Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or Submit a renewal request by using a base-64-encoded PKCS #7 file.

  5. In Notepad, click File, click Open, select the PKCS #10 or PKCS #7 file, click Edit, click Select all, click Edit, and then click Copy. On the Web page, click in the Saved request box. Click Edit, and then click Paste to paste the contents of the certificate request into the box.

  6. Choose Subordinate CA as the certificate template you want to use.

  7. Click Submit.

Regards!

Jocelyn