cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
208
Views
0
Helpful
5
Replies
Highlighted
Beginner

Wildcard Certificate Issue for WSA HTTPS Decryption

Hi 

 

we want to configure HTTPS Decryption policy on WSA C190 and we purchased wildcard certificate for WSA however when we tried to upload the certificate it gives bellow error  

 

Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required.

 

this wildcard certificate is signed from Degicert for our entire domain. kinldy help support me ti figure out which certificate should we use and from where it should be signed from ? 

 

1- do we need a sparate wildcard certificate from digicert ?

2- what kind of certificate we should use and from where we can get it ?

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Collaborator

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




Collaborator

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....






5 REPLIES 5
Collaborator

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




Beginner

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

hi Ken,

 

thanks for the comment 

 

its mean either we can use self signed certificate from WSA and send it to users via Group Policy 

or 

we need to use internal CA and Subordinate Certificate for WSA 

 

there would be limitation for Guest Users who are not part of our Domain and will see the certificate error from WSA ?

is there any way that our Guest User can also validate WSA certificate without getting error ?

Collaborator

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

Regrettably, no, notnwithout them loading the cert...
Beginner

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

just for curiosity/knowledge 

 

why we cannot use public signed certificate for WSA ? what is the reason for this that we are bound to use only internal CA subordinate certificate or WSA Self signed certificate ?

 

Thanks

Collaborator

Re: Wildcard Certificate Issue for WSA HTTPS Decryption

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....