cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29371
Views
5
Helpful
7
Replies

How to Setup SSL Certificate on IronPort WSA

cotichmuathu
Level 1
Level 1
hello  All
Can someone help me ?
I was not be able to install the certificate on my ironport s160
Is it possible to setup a third party SSL  certificate (ex: verisign ) on ironport web security appliance ?

Thank you,

1 Accepted Solution

Accepted Solutions

You're using this for HTTPS Proxy?

It has to be a root signing cert in a chain that your workstations will trust... Standard server certs just say "I'm server x", they can't sign certs saying server Y really is server Y...

On the WSA, its creating certs on the fly like a root authority would, one for each https site you're hitting.

You have 3 options:

1.Buy a root cert...  http://www.sslshopper.com/article-trusted-root-signing-certificates.html (this can be super expensive)

2.If you're in an MS world, install an Enterprise CA using MS Cert Server (your clients will automatically trust it), generate a root signing cert from it, and put that on the WSA (or grab its root cert and put that on the WSA).

3. Download the Ironport cert and deploy it to all of your clients.

Sorry for the misunderstanding on my part...

Ken

View solution in original post

7 Replies 7

Kyle,

Yes. It is.

You just have to make sure its in PEM format, not DER, and if you're installing a cert for the client facing side of the HTTPS proxy, you have to have the private key seperate from the cert and it must be unencrypted.

Get OpenSSL from SourceForge...

What kind of system do you have the cert on now? Do you have the key with it? What format is it in?

Use the approriate commands here to split the cert and decrypt the key...

http://www.sslshopper.com/article-most-common-openssl-commands.html

Ken

I am getting the following error when installing by GUI : "Certificate upload failed . the certificate file appears to be server certificate. a root signing certificate is required ". And by command line after i installed server certificate,private key ,intermediate then I typed commit but I got error: "unknown option. select one of the listed option, or press enter to exit the command"

Yes, its in pem format, private key is unencrypted and matching with certificate

You're using this for HTTPS Proxy?

It has to be a root signing cert in a chain that your workstations will trust... Standard server certs just say "I'm server x", they can't sign certs saying server Y really is server Y...

On the WSA, its creating certs on the fly like a root authority would, one for each https site you're hitting.

You have 3 options:

1.Buy a root cert...  http://www.sslshopper.com/article-trusted-root-signing-certificates.html (this can be super expensive)

2.If you're in an MS world, install an Enterprise CA using MS Cert Server (your clients will automatically trust it), generate a root signing cert from it, and put that on the WSA (or grab its root cert and put that on the WSA).

3. Download the Ironport cert and deploy it to all of your clients.

Sorry for the misunderstanding on my part...

Ken

Thanks Ken for your quick reply. resolved my problem

Hi,

I'm currently deploing a ironport setup for several customers, and all have to access the same ironport for http and https proxy.

Option 1 seems to be the perfect way to go, but as far as I know, Globalsign prohibited the root-ca for https inspection?

Trusted Root is a select service with strict requirements.

Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic.

Option 2 is out of the loop, there are severals domains, and non-communication between.

Option 3 is the way I currently operate, but there is load of work to distribute the ironport certificates, when non-windows enviroments is used.

What is the best way to achieve a root ca for the ironport that will work with all types of clients?

Hey Keith,

Not sure if you got this all figured out already, I was reading through the thread and trying to understand the issue of specifcally needing a root cert, was this because your client machines can't get to the internet to verify the cert from the third party CA? 

Nonetheless, I would recommend trying the way I do it on every install which is going with a third party certificate from a CA like GoDaddy.  A cert from a CA like GoDaddy will be recognized by all web browsers.  You can install the GoDaddy intermediate certificates into the Ironport as well (the instructions I'll paste below cover this).  I don't think you will have certificate errors with a third party cert even if your clients are going through a proxy, since GoDaddy or similar cert providers are recognized by the browser. 

Anyways its a place to start, and if it absolutely won't work then you could try a root cert approach, again I'm struggling to understand why a root cert is necessary.  Here are some instructions which are pretty easy to follow for setting up a third-party certificate on Ironport or using your existing cert in IIS.

Hope this helps you or others trying to sort this out, it took me awhile to figure out the first time around

Hi all,

Just to let you know, if you were able to get a Subordinate CA from a trusted CA, you would be able to offload anybody's ssl traffic. I guess there is no way, you can "buy" such a certificate.