Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
0
Helpful
3
Replies

how to setup certificate for HTTPS proxy on WSA

jiyoung Kim
Level 1
Level 1

‎03-28-2014 01:04 AM

Hi, I'm trying to install the certificate for HTTPS Proxy on WSA.

 

the environment is not using private CA so no options for this.

 

I was going to use third party certificate like verisign, but they don't allow to use 1024 bit CSR which WSA is generating.

 

then, I have only option to upload certificate and key.

 

 

 

I have trusted certificate, but do not have the matched key. is there anyway I can get it ?

 

also, the certificate has to be a signing certification, is that mean the certificate is root certificate or trusted certificate ??

 

then How do I get the key for it ?

 

Thank you.

Labels:
0 Helpful
3 Replies 3

donnylee
Cisco Employee
Cisco Employee

‎03-28-2014 04:38 PM

Hi,

The certificate required in the WSA for HTTPS proxy is root certificate.

Please see the previous discussion about the same topic

 

https://supportforums.cisco.com/discussion/11723386/how-setup-ssl-certificate-ironport-wsa

 

Thanks,

Donny

 

0 Helpful

Artur Nowicki
Cisco Employee
Cisco Employee

‎03-31-2014 01:45 AM

Hi

Posted already in some other thread, but repeating here.

You could try the following steps (with openssl):

 

Generate the key:

openssl genrsa -des3 -out cakey.pem 2048

Generate the certificate (Valid for 10 Years):

openssl req -new -x509 -extensions v3_ca -key cakey.pem -out cacert.pem -days 3650

Remove the passphrase from the key:

openssl rsa -in cakey.pem -out cakey_nopass.pem

Later the certificate (cacert.pem) and key (cakey_nopass.pem) may be imported on the WSA.

Be aware about the performance impact caused by 2048bit certificate. It may influence it a lot.

BR,
Artur

0 Helpful

jiyoung Kim
Level 1
Level 1
In response to Artur Nowicki

‎04-15-2014 04:29 PM

I assume the openssl commands are to create self-signed certificate. in order not to show endusers certificate error, I have to deploy this certificate. there is no way to do it.

Thats why I came up with getting signed by public certificate authorities such as verisign, commodo, and so on.

However, I figured the public certificate authorities does not sign as root certificate.

0 Helpful
Customers Also Viewed These Support Documents