Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2943
Views
0
Helpful
7
Replies

Ironport S160 new certificates not taking effect

mortenn
Level 1
Level 1

‎09-16-2013 08:48 AM

Hi!

We have an Ironport S160 running version 7.5.1-201 for Web

Today, I used the certconfig CLI to install a custom signed certificate for the management https interface, but the ironport is still using the demo certificate, even after I rebooted the appliance.

I also downloaded a certificate request from the https proxy settings and signed it using my root CA, but I am still getting the old self signed CA when I visit https websites - this also persists after the appliance reboot.

The new CA shows up in the https proxy settings, and I also imported my root CA for good measure.

Please advise how to proceed.

  // Cheers, Morten

Labels:
0 Helpful
7 Replies 7

mortenn
Level 1
Level 1

‎09-16-2013 09:38 AM

Update: mgmt is now using the new certificate, but I touched nothing - https traffic is still using the old self signed CA, however.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to mortenn

‎09-17-2013 07:11 PM

What steps did you follow to add the certificate to the WSA? Did you add it via CLI command 'certconfig'?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

mortenn
Level 1
Level 1
In response to Jatin Katyal

‎09-17-2013 10:04 PM

I added the management certificate using certconfig, yes - but that suddenly started working on its own, as I commented earlier.. My issue is now the CA certificate used for resigning decrypted https sites.

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mortenn

‎09-17-2013 07:55 PM

Morten,

Which self signed cert are you referring to?  Are you referring to the Ironport Demo certificate?  If you are seeing that certificate when surfing the internet, it sounds like you have credential encryption enabled.  You will need to upload the new one in the GUI under Network > Authentication.

-Vance

0 Helpful

mortenn
Level 1
Level 1
In response to Vance Kwan

‎09-17-2013 10:07 PM

Hello,

I do not have ssl enabled for authentication, no.

My current issue is with ironports CA, used for creating new certificates when it decrypts https web sites.

I downloaded a CSR from the https proxy page, signed it using my AD root CA, then imported the resulting certificate into ironport. But the web sites I visit still get signed by the self signed "Hapro" certificate I created december of last year.

My current hypothesis is that ironport is storing generated certificates, and will not regenerate them until the signatory certificate expires, in december.

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mortenn

‎09-18-2013 12:08 AM

The generate CSR feature is new and honestly, I have not seen it be used.  You may need to remove the self generated certificate by editing the configuration XML file.  I'd recommend you open up a TAC case on it for a possible bug.

-Vance

0 Helpful

mortenn
Level 1
Level 1
In response to Vance Kwan

‎09-26-2013 05:53 AM

Hello,

After having been in touch with TAC and a Webex session, we figured out what was going on here:

When I created the CSR, I did not first generate a new key and certificate.

The CSR was made using the current private key, the same as was used for the old self signed CA.

When I uploaded the new CA after signing it in ADCS, the new CA was put into use after all.

But, since it had the same private key, the browser on the client somehow got confused, as the old self signed CA was installed in the trusted root store together with the new root CA from AD.

On the wire, the new certificate was used, but in the browser connection details, the old one was presented.

  // Morten

0 Helpful
Customers Also Viewed These Support Documents