Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4458
Views
0
Helpful
6
Replies

SSL Certificate for S170 HTTPS Proxy Settings

Rick Williams
Level 1
Level 1

‎09-13-2013 04:11 AM

Hi,

I have a quick question around the SSL certificate for 2x S170 devices I am installing.

Can I purchase 1 certificate and use it on both devices or are 2 seperate certificates required.

Both of the Proxy servers go through a firewall and are not NAT'd.

Are there any specifics required for the certificate?           

Labels:
0 Helpful
6 Replies 6

Ken Stieers
VIP
VIP

‎09-13-2013 08:08 AM

Technically, you can use the same cert on both WSA's.

Whether you can use the same cert on multiple machines is more a function of the license from the cert provider... some state that you have to purchase the right to use it in more than one place...

It has to be a signing cert, as what the WSA is doing is issuing a new cert that "mimics" the one on the webserver your user is access. 

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee

‎09-14-2013 12:57 AM

Do not purchase any certificates as you will likely receive a Server Certificate (not a Root Certificate).

If a trusted CA were to provide you with a Root signed by Verisign for example, you can in turn compete with their business and start signing/selling Server Certificates.  There is no way that they can control what you would sign.  You can start signing fradulent certificates and there is nothing that they can do to stop you other than revoking it which browsers do not check by default.

I have yet to see anybody get a Root signed by a trusted CA.  If anybody has obtained one, please do let me know.

The only known ways to obtain a Root for the HTTPS proxy is to either:

a) generate one

b) extract it/generate it from an internal trusted CA.

-Vance

0 Helpful

Rick Williams
Level 1
Level 1
In response to Vance Kwan

‎09-19-2013 02:32 AM

The trick was to create a sub-CA from our internal Cert Server.

Couldn't find any specific documentation on doing this on a WSA. There is however documentation online for competitors.

0 Helpful

Alex Weldon
Level 1
Level 1

‎09-20-2013 08:59 AM

We currently use self signed as we do not have an in house CA. I followed the guide here:

http://blog.samkendall.net/2010/05/12/how-to-make-your-computers-trust-your-cisco-ironport-https-proxy-in-an-active-directory-environment/  works great.

0 Helpful

Alcides Miguel
Level 1
Level 1

‎09-05-2014 11:34 AM

Hi,

 

Can you folks please help me? I've one s170 and I would like to enable the HTTPS Proxy and I'm having trouble to upload the certificate to the appliance.

till now what I've done is Enable HTTPS Proxy --->Use Generated Certificate and Key---->Download Certificate Signing Request

and open my root authority server web page --->request a new certificate--->past the content of the s170 generated file

 

and I receive the certificate tried to upload the certificate to the proxy and one error is generated .

 

hope someone can help me.

 

kind regards,

Alcides

0 Helpful

Rick Williams
Level 1
Level 1
In response to Alcides Miguel

‎09-09-2014 07:33 AM

I've just posted about this exact thing in a different thread:

https://supportforums.cisco.com/discussion/11804801/2048-bit-key-ironport-wsa-https-proxy

Hope that helps you.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents