cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
977
Views
0
Helpful
3
Replies
Beginner

how to setup certificate for HTTPS proxy on WSA

Hi, I'm trying to install the certificate for HTTPS Proxy on WSA.

 

the environment is not using private CA so no options for this.

 

I was going to use third party certificate like verisign, but they don't allow to use 1024 bit CSR which WSA is generating.

 

then, I have only option to upload certificate and key.

 

 

 

I have trusted certificate, but do not have the matched key. is there anyway I can get it ?

 

also, the certificate has to be a signing certification, is that mean the certificate is root certificate or trusted certificate ??

 

then How do I get the key for it ?

 

Thank you.

3 REPLIES 3
Highlighted
Cisco Employee

Hi,The certificate required

Hi,

The certificate required in the WSA for HTTPS proxy is root certificate.

Please see the previous discussion about the same topic

 

https://supportforums.cisco.com/discussion/11723386/how-setup-ssl-certificate-ironport-wsa

 

Thanks,

Donny

 

Cisco Employee

Hi

Hi

Posted already in some other thread, but repeating here.

You could try the following steps (with openssl):

 

Generate the key:

openssl genrsa -des3 -out cakey.pem 2048

Generate the certificate (Valid for 10 Years):

openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650

Remove the passphrase from the key:

openssl rsa -in cakey.pem -out cakey_nopass.pem

Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.

Be aware about the performance impact caused by 2048bit certificate. It may influence it a lot.

BR,
Artur

Beginner

I assume the openssl commands

I assume the openssl commands are to create self-signed certificate. in order not to show endusers certificate error, I have to deploy this certificate. there is no way to do it.

Thats why I came up with getting signed by public certificate authorities such as verisign, commodo, and so on.

However, I figured the public certificate authorities does not sign as root certificate.