Ironport S160 new certificates not taking effect

mortenn · ‎09-16-2013

Hi!

We have an Ironport S160 running version 7.5.1-201 for Web

Today, I used the certconfig CLI to install a custom signed certificate for the management https interface, but the ironport is still using the demo certificate, even after I rebooted the appliance.

I also downloaded a certificate request from the https proxy settings and signed it using my root CA, but I am still getting the old self signed CA when I visit https websites - this also persists after the appliance reboot.

The new CA shows up in the https proxy settings, and I also imported my root CA for good measure.

Please advise how to proceed.

// Cheers, Morten

mortenn · ‎09-16-2013

Update: mgmt is now using the new certificate, but I touched nothing - https traffic is still using the old self signed CA, however.

Jatin Katyal · ‎09-17-2013

What steps did you follow to add the certificate to the WSA? Did you add it via CLI command 'certconfig'?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mortenn · ‎09-17-2013

I added the management certificate using certconfig, yes - but that suddenly started working on its own, as I commented earlier.. My issue is now the CA certificate used for resigning decrypted https sites.

Vance Kwan · ‎09-17-2013

Morten,

Which self signed cert are you referring to? Are you referring to the Ironport Demo certificate? If you are seeing that certificate when surfing the internet, it sounds like you have credential encryption enabled. You will need to upload the new one in the GUI under Network > Authentication.

-Vance

mortenn · ‎09-17-2013

Hello,

I do not have ssl enabled for authentication, no.

My current issue is with ironports CA, used for creating new certificates when it decrypts https web sites.

I downloaded a CSR from the https proxy page, signed it using my AD root CA, then imported the resulting certificate into ironport. But the web sites I visit still get signed by the self signed "Hapro" certificate I created december of last year.

My current hypothesis is that ironport is storing generated certificates, and will not regenerate them until the signatory certificate expires, in december.

Vance Kwan · ‎09-18-2013

The generate CSR feature is new and honestly, I have not seen it be used. You may need to remove the self generated certificate by editing the configuration XML file. I'd recommend you open up a TAC case on it for a possible bug.

-Vance

mortenn · ‎09-26-2013

Hello,

After having been in touch with TAC and a Webex session, we figured out what was going on here:

When I created the CSR, I did not first generate a new key and certificate.

The CSR was made using the current private key, the same as was used for the old self signed CA.

When I uploaded the new CA after signing it in ADCS, the new CA was put into use after all.

But, since it had the same private key, the browser on the client somehow got confused, as the old self signed CA was installed in the trusted root store together with the new root CA from AD.

On the wire, the new certificate was used, but in the browser connection details, the old one was presented.

// Morten