Solved: Re: Cisco WSA with Demo SSL cert on P1 (not Proxy TCP Port)

mstoffers · ‎07-13-2023

Hi community,
I have configured Cisco WSA with P1 and M1 interfaces. WebUI is limited to M1 only and has its own SSL cert from our internal PKI. Proxy Port on P1 is 3128 and HTTPS proxy is also configured with a working CA SSL cert. So far so good. When I now try to connect to P1 on TCP port 443 instead of Proxy port 3128 I got a cert warning with a Cisco Demo certificate (see attached file). But I can't find this cert in any of the SSL configuration or Certificate Management. I also can't find any bindings for P1 TCP Port 443 in the setup.

Is there a way to change this cert to an own one from our PKI?

Thanks for help and have a nice weekend
Marco

psayafan · ‎07-14-2023

Hi Marco,

The reason you are facing with Demo certificate is the Credential Encryption option.
Port 443 in WSA is used for Credential Encryption.

User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

Enabling credential encryption with a trusted certificate would stop it from serving the demo certificate.

View solution in original post

psayafan · ‎07-14-2023

Hi Marco,

The reason you are facing with Demo certificate is the Credential Encryption option.
Port 443 in WSA is used for Credential Encryption.

User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

Enabling credential encryption with a trusted certificate would stop it from serving the demo certificate.

amojarra · ‎07-14-2023

Hi @mstoffers

In addition to @psayafan 's reply:

Credential encryption is used to transmit credentials over HTTPS in encrypted form. This increases security of the basic authentication process.

SWA uses its own certificate and private key by default to create an HTTPSconnection with the client for the purposes of secure authentication. Most browsers will warn users, however, that this certificate is not valid. To prevent users from seeing the invalid certificate message, you can upload a valid certificate and key pair that your organization uses.

Step 1 Choose Network > Authentication.
Step 2 Click Edit Global Settings.
Step 3 Check the Use Encrypted HTTPS Connection For Authentication check box in the Credential Encryption field.
Step 4 (Optional) Edit the default port number (443) in the HTTPS Redirect Port field for client HTTP connections during
authentication.
Step 5 (Optional) Upload a certificate and key:
a) Expand the Advanced section.
b) Click Browse in the Certificate field and find the certificate file you wish to upload.
c) Click Browse in the Key field and find the private key file you wish to upload.
d) Click Upload Files.
Step 6 Submit and commit your changes

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

mstoffers · ‎07-14-2023

Thanks to @amojarra and @psayafan , this is new for me so i will have a look at it on Monday.

Have a nice weekend and thanks for your quick reply
Marco

mstoffers · ‎07-16-2023

Thanks to both of you. This fixed the problem. Have a nice day