Re: Where do you get a "key" from Windows domain root CA for Https web proxy?

keithsauer507 · ‎12-09-2019

I need to update the https web proxy decryption certificate. We use an internal Microsoft Windows CA that is integrated in active directory. You can get the root CA by running mmc.exe and adding the certificates snap in, or we can go to our internal Microsoft /certsrv page and download the root CA there as well.

However in the Security Services > HTTPS Proxy, it does not allow you to proceed if you just attach the .cer file in the Use Uploaded Certificate and Key. It is complaining to "Please specify a file to upload." next to the Key field.

Where does one get such a "key"? I could understand in a unix based system a server certificate would be generated against a key, but we are talking about a ROOT certificate here.

Currently the cert loaded in expired November 25th. Though we have no interruption. If you go to a popular site like amazon for example and look at the certificate chain of trust, the root cert shows our current internal CA cert as the parent which expires in 2024.

So while we have no outages at this point, we had to disable the severe web proxy email alerts to stop the nag email from telling us a cert is expired. Rather than band aid it, I'd rather have server alerts turned on.

keithsauer507 · ‎12-10-2019

See, nobody knows. It doesn't seem well documented. Even TAC is researching because they don't have the answer either.

What I really want is to eliminate the requirement of uploading a "key" when just uploading a root ca for trust.

Ken Stieers · ‎12-10-2019

When you generate the cert out of your CA ( eg a SubCA cert, you get it from the cert store on the box you generated.

If you're using the cert from your root ca, you get it from the root CA box. This is generally a bad idea, but will work.

The key is required to create new certs that are trusted. Otherwise anyone with a copy of the root cert could create a cert that other systems would trust....

keithsauer507 · ‎12-12-2019

The CA is Windows Server 2012 R2. I just don't recall ever seeing anything in one of the certificate mmc snapins to export a key. I'll poke around on there.

I wish the WSA would just be updated to not require it. Nothing is broken at all. We are seeing all the popular https sites all signed by our Domain-CA as the parent, and in the browser its showing it doesn't expire until 2024. So even though in the WSA it thinks the cert is expired, its still using the new one anyway.

We just wanted to eliminate the alerts so I can turn back on email alerting for critical events for WebProxy.

keithsauer507 · ‎12-18-2019

I can't find where in Windows Server 2012 R2 you can export a "key" for the domain's root CA. Any ideas?

Ken Stieers · ‎12-18-2019

RDP to your Root CA server

Start/Run certlm.msc (certificate manager for the local machine)

Go to the Personal/Certificates folder.

Find the cert where Certificate Template is "Root Certification Authority"

Double click it.

On the Details tab, click the Copy to File...

Export it with the key.

Use OpenSSL or other tools to separate key from cert.

Upload separate files to WSA.