Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1468
Views
0
Helpful
5
Replies

Wildcard Certificate Issue for WSA HTTPS Decryption

Go to solution
hashimwajid1
Level 3
Level 3

‎05-22-2019 08:53 AM - edited ‎05-22-2019 08:55 AM

Hi 

 

we want to configure HTTPS Decryption policy on WSA C190 and we purchased wildcard certificate for WSA however when we tried to upload the certificate it gives bellow error  

 

Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required.

 

this wildcard certificate is signed from Degicert for our entire domain. kinldy help support me ti figure out which certificate should we use and from where it should be signed from ? 

 

1- do we need a sparate wildcard certificate from digicert ?

2- what kind of certificate we should use and from where we can get it ?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎05-22-2019 09:18 AM

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




View solution in original post

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to hashimwajid1

‎05-22-2019 11:39 AM

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....






View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ken Stieers
VIP
VIP

‎05-22-2019 09:18 AM

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ken Stieers

‎05-22-2019 10:13 AM

hi Ken,

 

thanks for the comment 

 

its mean either we can use self signed certificate from WSA and send it to users via Group Policy 

or 

we need to use internal CA and Subordinate Certificate for WSA 

 

there would be limitation for Guest Users who are not part of our Domain and will see the certificate error from WSA ?

is there any way that our Guest User can also validate WSA certificate without getting error ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to hashimwajid1

‎05-22-2019 10:22 AM

Regrettably, no, notnwithout them loading the cert...
0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ken Stieers

‎05-22-2019 10:35 AM

just for curiosity/knowledge 

 

why we cannot use public signed certificate for WSA ? what is the reason for this that we are bound to use only internal CA subordinate certificate or WSA Self signed certificate ?

 

Thanks

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to hashimwajid1

‎05-22-2019 11:39 AM

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....






0 Helpful
Customers Also Viewed These Support Documents
Top