cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1145
Views
0
Helpful
5
Replies

Wildcard Certificate Issue for WSA HTTPS Decryption

hashimwajid1
Level 3
Level 3

Hi 

 

we want to configure HTTPS Decryption policy on WSA C190 and we purchased wildcard certificate for WSA however when we tried to upload the certificate it gives bellow error  

 

Certificate upload failed. The certificate file appears to be a server certificate. A signing certificate is required.

 

this wildcard certificate is signed from Degicert for our entire domain. kinldy help support me ti figure out which certificate should we use and from where it should be signed from ? 

 

1- do we need a sparate wildcard certificate from digicert ?

2- what kind of certificate we should use and from where we can get it ?

 

2 Accepted Solutions

Accepted Solutions

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




View solution in original post

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....






View solution in original post

5 Replies 5

You can't buy what you need from digicert

You need a SIGNING cert, e.g. a cert that other certificates can be derived from.



Either use the cert that came with the WSA or generate one using a CA, and deploy it to your workstations.

https://community.cisco.com/t5/web-security/wsa-https-proxy/m-p/3407341/highlight/true#M7849




hi Ken,

 

thanks for the comment 

 

its mean either we can use self signed certificate from WSA and send it to users via Group Policy 

or 

we need to use internal CA and Subordinate Certificate for WSA 

 

there would be limitation for Guest Users who are not part of our Domain and will see the certificate error from WSA ?

is there any way that our Guest User can also validate WSA certificate without getting error ?

Regrettably, no, notnwithout them loading the cert...

just for curiosity/knowledge 

 

why we cannot use public signed certificate for WSA ? what is the reason for this that we are bound to use only internal CA subordinate certificate or WSA Self signed certificate ?

 

Thanks

The way the WSA works, it creates a new cert for each site you visit on the fly. Its acting like a Certificate Authority.

So the cert on the WSA has to be a "Certificate signing cert".



CA's generally don't sell signing certs to other companies, or if you're big enough that they do, you're now actually a Certificate Authority.

There are all sorts of rules, regulations and a TON of money involved....






Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: