cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
2
Helpful
4
Replies
Highlighted
Beginner

How to export private key, which HTTPS proxy uses for mimic certificates

Hello dear wsa security fans,

on my WSA (AsyncOS 10.5.1-296) I configured HTTPS proxy — using Intermediate CA (uploaded private key & certificate), as you can see on attached screenshot.

My question is where can I export RSA private key, which WSA uses for inner communication with clients, the private key, whose public key is used in the dynamicaly generated mimic certificate.

Thanks.

4 REPLIES 4
Beginner

Re: How to export private key, which HTTPS proxy uses for mimic certificates

I tried XML config export, but the key from my question is not included there.

Cisco Employee

Re: How to export private key, which HTTPS proxy uses for mimic certificates

Hello,

WSA doesn't provide a mechanism to export private keys as this will be a security hole if this is allowed. Also, in case of other encryption mechanism keys are setup for each session, so exporting keys will not help.

Since you want keys from WSA, I am assuming you want to decrypt the https content again, what is your use case to do that? In next release of WSA, we are adding a Web Traffic Tap feature that will enable customers to configure the tap interface to copy the decrypted traffic out. This can be used for offline passive analysis of the traffic.

Let me know in case you need any further information.

Thanks

Sapan

Beginner

Re: How to export private key, which HTTPS proxy uses for mimic certificates

Sapan hi,

You right, I'm looking for various scenarios for pasive SSL/TLS decryption. This can be done, if SSL/TLS leg between client and proxy doesn't use PFS. Meantime, I got info, that WSA can't setup ciphers independently for leg between client-proxy, and leg between proxy-web_server, so this is another show stopper for me.

However, new feature – traffic tap – will be solution I'm looking for.

Thanks.

Re: How to export private key, which HTTPS proxy uses for mimic certificates

Hello Sapan,

Does the TAP feature is in the actual release of WSA?

Else, do you know when it will be available?