01-16-2017 06:55 AM
Certificates, the bane of an IT administrators existence. There are many of them, they expire at different times and need to be renewed. With as many as there are to manage usually you don't find out about an expired certificate until the moment it expires. Your on the hook to figure out how to renew it as quickly as possible. Here is my problem.
We have an Internal Windows CA and our Kiosks use wccp redirection for HTTPS and when I look at the certificate structure of our website I see:
Domain Root CA (doesn't expire until 2019)
\ Issuing CA (Expired 1/15/2017)
\ Web site certificate (doesn't expire until 2018).
Since the nagging Internet Explorer engine renders the site in our kiosk software, users are relentlessly nagged about proceeding or not because that middle guy, "Issuing CA" is expired and not trusted.
I look in our WSA and I do see under HTTPS proxy settings the common name "Issuing CA" and expiration date "Jan 15 17:10:06 2017 GMT". How do I renew this? I forget how I even did this in the first place. Why isn't there just a simple renew button on there? Why are certificates so dang hard?
Please help!
01-16-2017 07:29 AM
You need to go to your intermediate ca, and renew it's "base" cert. You may be able to just load the "Certificates" mmc and click on the cert and hit renew.
And then export that cert and put it on your wsa...
If you're digging in you probably ought to make sure you're using SHA2
01-16-2017 08:42 AM
We don't have an intermediate CA, unless the WSA S170 is acting as it, and if it is there is no mmc or way to renew it there. I can download the cert but it is a pem file that ends up opening in notepad++.
Our hierarchy is we have a Windows 2008 R2 server that is our internal certification authority. Our root cert on here does not expire until 2019. I could try to import this "Issuing CA" pem file to my local workstation if I can get it converted to a format that the local certificates can read, and then see if I can right click and renew it.... But in the WSA there is an option to upload certificate and key as two separate files. I can't just upload our root cert because there is no key for that and the system balks at trying to upload it when I have no key file chosen.
Why can't they just have a renew button in the WSA S170 web ui? Windows dominates the business market, why can't they create a workflow for using Windows based CA's on your domain right there in the UI? I'm on 9.1.2 010 so maybe there is an update in the future.
For now there will have to be no https filtering. Firewall command entered..
no access-list proxylist-https extended permit tcp object-group KIOSK any eq https
01-18-2017 01:59 PM
OK I finally found a straight forward easy to follow HOW TO on this and I am working again. I'm not sure why I had "Issuing CA" in between our Root CA and the website Cert, but now doing these steps It just simply shows our Root CA at the top and the website CA at the bottom in the certificate details in IE.
I followed the steps here to get a .cer and .key file to import into the WSA HTTPS proxy page.
http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118339-technote-wsa-00.html
Exporting the Certificate and private key from MS CA server |
1. Go to 'Start' -> 'Run' -> MMC |
Extracting the Public key (certificate) |
You will need access to a computer running OpenSSL. Copy your PFX file over to this computer and run the following command: |
Note: These instructions have been verified using OpenSSL on Linux. Some syntax may vary on the Win32 version.
Extracting and decrypting the Private key |
The WSA requires that the private key be unencrypted. Use the following OpenSSL commands: |
The public and decrypted private keys can be installed on the WSA from 'Security Services' -> 'HTTPS Proxy'
01-18-2017 02:06 PM
You had an issuing CA there because its "best-practice" to NOT use your root for this. You may not have ever actually built one, just issued a cert for one, and called it done.
Typically you build the root, issue the issuing CAs their certs and then shut the root down so it can't be compromised.
Glad you're up and going...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide