You had an issuing CA there

keithsauer507 · ‎01-16-2017

Certificates, the bane of an IT administrators existence. There are many of them, they expire at different times and need to be renewed. With as many as there are to manage usually you don't find out about an expired certificate until the moment it expires. Your on the hook to figure out how to renew it as quickly as possible. Here is my problem.

We have an Internal Windows CA and our Kiosks use wccp redirection for HTTPS and when I look at the certificate structure of our website I see:

Domain Root CA (doesn't expire until 2019)

\ Issuing CA (Expired 1/15/2017)

\ Web site certificate (doesn't expire until 2018).

Since the nagging Internet Explorer engine renders the site in our kiosk software, users are relentlessly nagged about proceeding or not because that middle guy, "Issuing CA" is expired and not trusted.

I look in our WSA and I do see under HTTPS proxy settings the common name "Issuing CA" and expiration date "Jan 15 17:10:06 2017 GMT". How do I renew this? I forget how I even did this in the first place. Why isn't there just a simple renew button on there? Why are certificates so dang hard?

Please help!

Ken Stieers · ‎01-16-2017

You need to go to your intermediate ca, and renew it's "base" cert. You may be able to just load the "Certificates" mmc and click on the cert and hit renew.

And then export that cert and put it on your wsa...

If you're digging in you probably ought to make sure you're using SHA2

keithsauer507 · ‎01-16-2017

We don't have an intermediate CA, unless the WSA S170 is acting as it, and if it is there is no mmc or way to renew it there. I can download the cert but it is a pem file that ends up opening in notepad++.

Our hierarchy is we have a Windows 2008 R2 server that is our internal certification authority. Our root cert on here does not expire until 2019. I could try to import this "Issuing CA" pem file to my local workstation if I can get it converted to a format that the local certificates can read, and then see if I can right click and renew it.... But in the WSA there is an option to upload certificate and key as two separate files. I can't just upload our root cert because there is no key for that and the system balks at trying to upload it when I have no key file chosen.

Why can't they just have a renew button in the WSA S170 web ui? Windows dominates the business market, why can't they create a workflow for using Windows based CA's on your domain right there in the UI? I'm on 9.1.2 010 so maybe there is an update in the future.

For now there will have to be no https filtering. Firewall command entered..

no access-list proxylist-https extended permit tcp object-group KIOSK any eq https

keithsauer507 · ‎01-18-2017

OK I finally found a straight forward easy to follow HOW TO on this and I am working again. I'm not sure why I had "Issuing CA" in between our Root CA and the website Cert, but now doing these steps It just simply shows our Root CA at the top and the website CA at the bottom in the certificate details in IE.

I followed the steps here to get a .cer and .key file to import into the WSA HTTPS proxy page.

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118339-technote-wsa-00.html

Exporting the Certificate and private key from MS CA server

1. Go to 'Start' -> 'Run' -> MMC

2. Click on 'File' -> 'Add / Remove Snap-in'

3. Click the 'Add...' button

4. Select 'Certificates' then click 'Add'

5. Select 'Computer Account' -> 'Next' -> 'Local Computer' -> 'Finish'

6. click 'Close' -> 'OK'

The MMC is now loaded with the Certificates snap-in.

7. Expand Certificates -> and click on 'Personal' -> 'Certificates'

8. Right click the appropriate CA cert and choose 'All Tasks' -> 'Export'

The Certificate Export Wizard will launch

9. Click 'Next' -> Select 'Yes, Export the private key' -> 'Next'

10. Uncheck all of the options here. PKCS 12 should be the only option available. Click 'Next'

11. Give the private key a password of your choice

12. Give a filename to save as and click 'Next', then 'Finish'

You now have your CA signing certificate and root exported as a PKCS 12 (PFX) file.

Extracting the Public key (certificate)

You will need access to a computer running OpenSSL. Copy your PFX file over to this computer and run the following command:

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out certificate.cer

This creates the public key file named "certificate.cer"

Note: These instructions have been verified using OpenSSL on Linux. Some syntax may vary on the Win32 version.

Extracting and decrypting the Private key

The WSA requires that the private key be unencrypted. Use the following OpenSSL commands:

openssl pkcs12 -in <filename.pfx> -nocerts -out privatekey-encrypted.key

You will be prompted for "Enter Import Password". This is the password created in step 11 above.
You will also be prompted for "Enter PEM pass phrase". The is the encryption password (used below).

This will create the encrypted private key file named "privatekey-encrypted.key"

To create a decrypted version of this key, use the following command:

openssl rsa -in privatekey-encrypted.key -out private.key

The public and decrypted private keys can be installed on the WSA from 'Security Services' -> 'HTTPS Proxy'

Ken Stieers · ‎01-18-2017

You had an issuing CA there because its "best-practice" to NOT use your root for this. You may not have ever actually built one, just issued a cert for one, and called it done.

Typically you build the root, issue the issuing CAs their certs and then shut the root down so it can't be compromised.

Glad you're up and going...

How do I renew an expired "Issuing CA" cert on S170 WSA for https decryption?