Solved: How to update Cisco Trusted Root Certificate Bundle in Cisco S170 Web Security Appliance?

itadmins · ‎04-05-2017

Hi all

Is there a Way to Update the "Cisco trusted Root Certificate Bundle"? I get more and more https homepages who can't be opened. I suspect that this is related to old certificates

i tried to add fresh certificates manually, but after that i can't "commit" updates from my Content Security management Appliance (i had to remove the added certificates to get the commit working again).

Version:

Name: S170
Product: Cisco S170 Web Security Appliance
Model: S170
Version: 8.8.0-085
Build Date: 2015-07-02
Install Date: 2017-03-23 20:34:27

RAID: 02
RAID Status: OPTIMAL
RAID Type: 1
BMC: 2.02
Cisco DVS Engine: 1.0 (Never Updated)
Cisco DVS Malware User Agent Rules: 0.554 (Never Updated)
Cisco DVS Object Type Rules: 0.554 (Never Updated)
Cisco Trusted Root Certificate Bundle: 1.3 (Wed Aug 3 07:11:50 2016)
Cisco Certificate Blacklist: 1.3 (Wed Aug 3 07:11:50 2016)
L4 Traffic Monitor Anti-Malware Rules: 1491391550 (Wed Apr 5 13:31:50 2017)
Cisco Web Usage Controls - Web Categorization Engine: 3.0.0.046 (Fri Mar 24
13:37:08 2017)
Cisco Web Usage Controls - Web Categorization URL Keyword Filters: 1312487822
(Fri Mar 24 13:37:08 2017)
Cisco Web Usage Controls - Web Categorization Prefix Filters: 1491399902 (Wed
Apr 5 15:52:08 2017)

Thanks in Advance

Daniel

Ken Stieers · ‎04-05-2017

Actually, its probably NOT old roots, but the fact that WSA has problems dealing with intermediate certs. (fixed in 10.x. but I haven't tested it yet.)

We would have errors with https sites, use grep to look at the access log, and it would say something like "bad root cert". So I'd put my machine in the bypass list, go to the site, download their root and intermediate cert (click on the lock in IE, Details tab, save the intermediate and root), then upload the root and intermediate... almost always Cisco already had the root, but not the intermediate.

We've added about 30 intermediate certs this way.

The other issue you're running into is that 8.x does NOT support TLS 1.1 or 1.2. 1.0 has issues, so sites are supporting it less and less.

View solution in original post

Siddharth Rajpathak · ‎04-05-2017

Hi Daniel,

On AsyncOS version 8.8, the Cisco trusted root certificate bundle can only be updated via updates from Cisco server or via AsyncOS version upgrade. Unfortunately there is no other way to update this list.

The custom root certificates should always take preference over the in-built trusted root certificate bundle. Manually uploading a custom root certificate would the only option to add new root certificate authorities on the WSA.

May i know if you see an error on SMA when you attempt to publish the configuration after uploading the custom root certificate? If yes, could you please paste the error you see?

Sid

itadmins · ‎04-05-2017

Hi Sid

Thank you for your answer.

I tried to update the Cisco trusted root certificate within the GUI. When i hit "update now" under Network > Certificate Management, the column "new update" shows the value "not available". The column "last Update" shows "Success - Wed Aug 3 07:11:50 2016". i'm wondering if this really is the latest update?

I see the following error on both of my SMA's after manually add Certicates:

Cisco Content Security Management Appliance M170 () - Utilities > Publish > Publish to Web Appliances

Failure: Protocol parse error: cp: /data/db/certd/B8919Y.uploadedcacert.pem: No such file or directory 83:}qUchangesq}q(U referencesq}qUsub_changesq]qUtypeqUpublish changesq us.,

As previously mentioned, when i remove the added Certificates i can publish the new configuration without problems.

Thanks in advance

Daniel

Siddharth Rajpathak · ‎04-05-2017

Hi Daniel,

Thanks for providing the error message. You are right, the error message would be due to custom uploaded certs.

The error message seen during publish from SMA is tracked by defect CSCuv04220.

The defect however mentions that, although we see an error, changes made on SMA do get published properly to WSA.

Could you try uploading a custom certificate, making a change on SMA, publishing from SMA and then manually checking WSA config to see if the change gets published properly?

Sid

itadmins · ‎04-05-2017

Hi Sid

Thank you for your investigations.

As you can see in my reply to Ken's post i will update the asyncOS in my environment.

i hope i will the also solve this problem :-)

Thank you!

Ken Stieers · ‎04-05-2017

Actually, its probably NOT old roots, but the fact that WSA has problems dealing with intermediate certs. (fixed in 10.x. but I haven't tested it yet.)

We would have errors with https sites, use grep to look at the access log, and it would say something like "bad root cert". So I'd put my machine in the bypass list, go to the site, download their root and intermediate cert (click on the lock in IE, Details tab, save the intermediate and root), then upload the root and intermediate... almost always Cisco already had the root, but not the intermediate.

We've added about 30 intermediate certs this way.

The other issue you're running into is that 8.x does NOT support TLS 1.1 or 1.2. 1.0 has issues, so sites are supporting it less and less.

itadmins · ‎04-05-2017

Hi Ken

Nice hint with TLS Support!!!

I was grepping the access_log and had no error or some "bad" messages.

Just at the moment i'm ralizing that i have to upgrade :-)

thank you

EDIT:

I just took a second look at the homepage which is not running. And there it is:

The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM).

You served me the solution on the silver tablet, thank you!