03-02-2018 09:36 AM - edited 03-08-2019 07:43 PM
I'm troubleshooting a WSA certificate issue.
Local users access web provided resources located at HQ.
This traffic traverses a WSA.
The local user browser sessions report an insecure connection when accessing the HQ site.
This connection should be secure. How can this be done?
I understand that HQ's Root Cert should be installed on the WSA, but is it installed under the HTTPS Proxy section(where a Key would also be needed), or Network/certificate management /manage trusted root certificates? What's the difference between the two?
I don't understand the certificate arrangement from the WSA's perspective well enough. Thanks for helping
Solved! Go to Solution.
03-05-2018 12:45 PM
Do this instead... from your workstation, go to the WSA an put your machine's current IP in bypass, under WebSecurityManager/BypassSettings. Submit/Commit.
Now go to the sites you're getting the error from using IE. (if you're on Win10, you have to "Run as Administrator for the following to work)
You shouldn't get a cert error....
Click on the lock in the address bar, and select View Certificates. Click on the "Certification Path" tab, select the top/root cert, click on View Certificate button.
Go to the Details tab, and click "Copy to file..."
Save it as a Base-64 .cer file and upload that to your WSA under Network/Certificate Management.
Submit/Commit
Test it on another machine...
You may want to get any intermediate certificates if they're using them (all from the Certification Path tab)
03-02-2018 09:56 AM
03-02-2018 10:22 AM
03-03-2018 06:09 AM
03-03-2018 02:31 PM
No, you generate that cert from the CA you have installed.
Lets take a couple of steps back to make sure I don't have you chasing stuff you already have working.
It sounds like you have HTTPS proxy on and configured... When your users go to an SSL site, google for example, do they get a cert error? or is it just the HQ sites that you're having the bad cert issue with?
03-05-2018 04:54 AM
You are correct.
There is an HTTPS proxy configured.
Users do not get cert errors when browsing to SSL sites, only the HQ sites.
A security exception is required to access the HQ sites. The connection is also reported as not secure.
HQ has made available certs in files with .crt extensions. I've uploaded these to the certificate management section to no avail. HQ's intent for the files is for users to apply them to their browsers. It's more efficient for us to apply them to the WSA, through which all web-based HQ destined traffic must traverse.
Is the .crt the right file extension? Should it be .pem?
Thank you
03-05-2018 12:45 PM
Do this instead... from your workstation, go to the WSA an put your machine's current IP in bypass, under WebSecurityManager/BypassSettings. Submit/Commit.
Now go to the sites you're getting the error from using IE. (if you're on Win10, you have to "Run as Administrator for the following to work)
You shouldn't get a cert error....
Click on the lock in the address bar, and select View Certificates. Click on the "Certification Path" tab, select the top/root cert, click on View Certificate button.
Go to the Details tab, and click "Copy to file..."
Save it as a Base-64 .cer file and upload that to your WSA under Network/Certificate Management.
Submit/Commit
Test it on another machine...
You may want to get any intermediate certificates if they're using them (all from the Certification Path tab)
03-06-2018 05:07 AM
Excellent. Thank you Ken.
I will store this procedure for future reference.
It turns out I had the certificate on file already. After you helped me understand where it should be loaded, I did it and didn't see results.
I hoped on a call with Cisco support, and they advised I console into the filters and run the following hidden commands: diagnostic > PROXY > kick.
This worked. Connections to HQ are now secure.
Thank you!
03-06-2018 05:30 AM
03-06-2018 06:50 AM
Duly noted! Thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide