Hi,The certificate required

jiyoung Kim · ‎03-28-2014

Hi, I'm trying to install the certificate for HTTPS Proxy on WSA.

the environment is not using private CA so no options for this.

I was going to use third party certificate like verisign, but they don't allow to use 1024 bit CSR which WSA is generating.

then, I have only option to upload certificate and key.

I have trusted certificate, but do not have the matched key. is there anyway I can get it ?

also, the certificate has to be a signing certification, is that mean the certificate is root certificate or trusted certificate ??

then How do I get the key for it ?

Thank you.

donnylee · ‎03-28-2014

Hi,

The certificate required in the WSA for HTTPS proxy is root certificate.

Please see the previous discussion about the same topic

https://supportforums.cisco.com/discussion/11723386/how-setup-ssl-certificate-ironport-wsa

Thanks,

Donny

Artur Nowicki · ‎03-31-2014

Hi

Posted already in some other thread, but repeating here.

You could try the following steps (with openssl):

Generate the key:

openssl genrsa -des3 -out cakey.pem 2048

Generate the certificate (Valid for 10 Years):

openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650

Remove the passphrase from the key:

openssl rsa -in cakey.pem -out cakey_nopass.pem

Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.

Be aware about the performance impact caused by 2048bit certificate. It may influence it a lot.

BR,
Artur

jiyoung Kim · ‎04-15-2014

I assume the openssl commands are to create self-signed certificate. in order not to show endusers certificate error, I have to deploy this certificate. there is no way to do it.

Thats why I came up with getting signed by public certificate authorities such as verisign, commodo, and so on.

However, I figured the public certificate authorities does not sign as root certificate.

how to setup certificate for HTTPS proxy on WSA