cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
2
Replies

Question on loading certificate in WSA

fpiccioni
Level 1
Level 1

Hi

please can someone help on the procedure to load certificate on WSA?

 

I performed the following:

1) In Edit Proxy HTTPS Settings - Download Certificate Signing Request, downloaded file HTTPS_csr.pem

2) Sent the downoladed file to CA company

3) CA company returned a certificate and an intermediate certificate, both in the form .crt

4) In Edit Proxy HTTPS Settings - Use Uploaded Certificate and Key, the loading of certificate is not possible because I haven't the key file.

 

Looking at this good video:

https://supportforums.cisco.com/video/11932521/steps-enable-https-proxy-wsa-uploading-rootintermediate-certificate-option

it seems CA company has to supply key file together with certificate file. However I suppose WSA should generate and use the key.

CA company confirmed they should not supply key

 

Thanks in advance

Regards

 

 

 

 

 

2 Replies 2

The CA vendor (GoDaddy/VeriSign/Thawte/Digicert etc)  is going to sell you a "SERVER CERTIFICATE", NOT a "ROOT or INTERMEDIATE" certificate.

The server cert WILL NOT WORK for this.  You'll get an error that says something like "you need a signing cert"...(I don't remember the exact message)

 

Where to get a proper cert:

1.You can generate a signing cert on the box,  download the cert, and make it available to your clients to add to their root cert store (on Windows you can do it via GroupPolicy)

2. On Windows, if you have an Enterprise CA, use that CA to generate a subordinate certificate, and upload that cert and its key to your WSA.  Since its an Enterprise CA, its ALREADY trusted by your Windows boxes..

3. If you need a different hash or key strength than what the WSA generates (2048/SHA1), then on a VM, install a Standalone CA, grab its cert and key, upload it to the WSA, and deploy the cert to your workstations as in the first option. Nuke the VM...

 

 

 

Hi

thanks for prompt answer.

I am quite sure the CA vendor has sent me the correct certificate. My issue is I do not have the key file to load together with certificate and I am not sure who should supply it. WSA? CA Vendor?