I am getting the following error when installing by GUI : "Certificate upload failed . the certificate file appears to be server certificate. a root signing certificate is required ". And by command line after i installed server certificate,private key ,intermediate then I typed commit but I got error: "unknown option. select one of the listed option, or press enter to exit the command"

Yes, its in pem format, private key is unencrypted and matching with certificate

Thanks Ken for your quick reply. resolved my problem

Hi,

I'm currently deploing a ironport setup for several customers, and all have to access the same ironport for http and https proxy.

Option 1 seems to be the perfect way to go, but as far as I know, Globalsign prohibited the root-ca for https inspection?

Trusted Root is a select service with strict requirements.

Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic.

Option 2 is out of the loop, there are severals domains, and non-communication between.

Option 3 is the way I currently operate, but there is load of work to distribute the ironport certificates, when non-windows enviroments is used.

What is the best way to achieve a root ca for the ironport that will work with all types of clients?

Hey Keith,

Not sure if you got this all figured out already, I was reading through the thread and trying to understand the issue of specifcally needing a root cert, was this because your client machines can't get to the internet to verify the cert from the third party CA? 

Nonetheless, I would recommend trying the way I do it on every install which is going with a third party certificate from a CA like GoDaddy.  A cert from a CA like GoDaddy will be recognized by all web browsers.  You can install the GoDaddy intermediate certificates into the Ironport as well (the instructions I'll paste below cover this).  I don't think you will have certificate errors with a third party cert even if your clients are going through a proxy, since GoDaddy or similar cert providers are recognized by the browser. 

Anyways its a place to start, and if it absolutely won't work then you could try a root cert approach, again I'm struggling to understand why a root cert is necessary.  Here are some instructions which are pretty easy to follow for setting up a third-party certificate on Ironport or using your existing cert in IIS.

Hope this helps you or others trying to sort this out, it took me awhile to figure out the first time around

Hi all,

Just to let you know, if you were able to get a Subordinate CA from a trusted CA, you would be able to offload anybody's ssl traffic. I guess there is no way, you can "buy" such a certificate.