Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4360
Views
0
Helpful
4
Replies

Cisco WSA https Proxy Certificate Issue

Pradip Upreti
Level 1
Level 1

‎03-06-2017 10:33 PM

we recently installed Cisco WSA S380 in our environment. We enabled https proxy and generate CSR and send it to sign when we got the signed certificate and tried to upload we got error mentioning " Error — Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required". I have uploaded the root CA as well but didn't find any proper solution to solve this.

Looking for your help.

Thank you in advance.
Labels:
Preview file
35 KB
0 Helpful
4 Replies 4

kushsriva
Level 1
Level 1

‎03-07-2017 02:46 AM

Hi Pradip,

It seems you have used an incorrect template to generate the certificate.

On the CA, make sure you use the certificate template as a "subordinate CA" not the 'web server' template.

Regards,

Kush

0 Helpful

Pradip Upreti
Level 1
Level 1
In response to kushsriva

‎03-07-2017 08:30 PM

Hi Kush,

Thanks for the reply, I will contact my certificate provider for the same hope this will solve our issue.

Regards,

Pradip

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to Pradip Upreti

‎03-09-2017 01:00 PM

I am unaware of any CAs (GlobalSign, Verisign, etc) that will issue the type of Certificate that you need. In order to do decryption you need a CA Cert or an Intermediate CA Cert. 


GlobalSign states this...

https://www.globalsign.com/en/certificate-authority-root-signing/

Trusted Root is a select service with strict requirements. Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic.

You may be better served by generating a Self Signed Cert on the WSA or generating an Intermediate Cert from your own CA if you have a PKI infrastructure setup. 

Hope this helps. 

Please rate helpful replies. :)  

0 Helpful

ZINSOU ADAM JOCELYN ADISSO
Level 1
Level 1

‎03-13-2017 03:22 AM

Hi Pradip,

Watch the video in the following link, there are some parameters (in blue color) you should take in consideration while signing the CSR by your CA.

https://supportforums.cisco.com/video/11933356/steps-enable-https-proxy-wsa-certificate-signing-request-csr-option

To request a certificate by using a PKCS #10 or PKCS #7 file

  1. Open a Web browser.

  2. Open https://servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages.

  3. Click Request a certificate, and then click Advanced certificate request.

  4. Click Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or Submit a renewal request by using a base-64-encoded PKCS #7 file.

  5. In Notepad, click File, click Open, select the PKCS #10 or PKCS #7 file, click Edit, click Select all, click Edit, and then click Copy. On the Web page, click in the Saved request box. Click Edit, and then click Paste to paste the contents of the certificate request into the box.

  6. Choose Subordinate CA as the certificate template you want to use.

  7. Click Submit.

Regards!

Jocelyn

0 Helpful
Customers Also Viewed These Support Documents