cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9646
Views
0
Helpful
12
Replies

WSA & CA Certificate Issue

Aimen Essayed
Level 1
Level 1

we have 3 domain controllers with only 1 certificate authority where users should use it for ssl encryption , but end user devices ignore the CA and use the other public CAs instead .

 

also i couldn't enforce the end users through the GPO in the active directory to use only the CA certificate !

or even the Ironport port's certificate.

im done with the Ironport configuration and made it join into the domain.everything works fine on the Ironport.

i have noticed that the CA server is not active !can any help me please  im not sure what to do ?i need to make users use either wsa certificate or the ca certificate thanks .!

12 Replies 12

First a couple of things to clear up some misperceptions:

Clients don't "use" the CA, YOU use the CA to issue a cert that the clients trust.  If your CA is an "Enterprise" CA, your clients will already trust certs it issues.

Depending upon how the WSA is configured, not all transactions use the cert on the WSA.  For example, you may not decrypt sites with high reputation, so you'll see the sites own cert in that case.

 

So first off determine if your CA is an Enterprise CA:  Open the Certificate Authority MMC, if you see the "Certificate Templates" node, its an Enterprise CA.

Is it an Enterprise CA?

Did you issue a cert from you CA and put it on your WSA?

 

 

 

 

first thank you so much for your help :)

and yes its an Enterprise CA and i did issue a certificate from  the ca and uploaded it into the wsa with its

private key PEM format .

but even tho the clients still dont trust it ! you should get " Verified by your CA " up on the browser .i dont get that at all !

what i know is that clients should trust the CA certificate automatically as long as they are joined the domain .

any ideas ?

 

I just went thru this same thing recently by creating a 2048 certificate using OpenSSL and submitting the req to our Enterprise CA, then uploading the cert and the key to the Ironport.

 

One question I would have is what option did you select under Security Services/https proxy, edit settings for HTTPS Proxy settings and under Root Certificate for Signing. Did you select the option " use uploaded certificate and key" or did you use "use generated certificate and key" ?

 

Both allow you to upload a cert but the second option I think will require you to import the certificate on the client PCs while the first option will trust the certificate (Chrome or IE, but not on Firefox) as long as it is a domain PC.

 

I followed the instruction here and found them very helpful:

https://supportforums.cisco.com/discussion/11804801/2048-bit-key-ironport-wsa-https-proxy

 

Thanks for your help .

 

I went with  the option "used uploaded certificate and key "

i used the Open SSL to get the private key from the certificate , converted both to .PEM

and after that i did upload them into the WSA

 

 

 

Kindly please follow the below link you will get successfully certificate import.

 

Cisco IronPort WSA: Configuring management and HTTPS proxy certificates 

not solved though , my main problem is with the Certificate authority it self ! not with the WSA

windows machine don't trust the CA still
 

I have also used OpenSSL to generate my CSR and key, I submitted the CSR to my CA and they issue the signed cert back. I have been unable to load this cert and key into the WSA. It keeps telling me that this is a server certificate a signing certificate is required. I have been unable to get this to work or use any certificate that I generate. The only certificate and key that is seems to use is the one created by the WSA, which is rather weak on its cipher and options. I require a 2048-bit and SHA2(56) cert at a minimum for my environment. Any help is appreciated.

 

Thanks

Dominick

buying a server cert from a public CA for a few hundred dollars won't work.  You need a cert that can sign other certs.   For every https site you access through the  WSA the WSA generates a cert for the transaction between the client and the WSA. A server cert can't do that ...

Youre asking your CA to provide you with a cert to sign certs that the rest of the world would trust... (e.g. because youre expecting your workstations to already trust these certs) .

Tell me a bit about your 100000 seats?  All WIndows? Mac? *nix?

If Windows, 1 domain? multiple?  Do you have an internal CA?

 

Mostly Windows. Multiple domains. We do not have any internal CA's anymore. We use a public CA and preinstall the necessary certificates on all workstations when they are built. Any updates are done by GPO and they are limited. I am trying to take advantage of the public certificate that has been signed and issue on our behalf from our CA, in this instance it is Comodo. If we still had the internal PKI servers we could get around the issue but that does not exist anymore.

Hi Ken,

 

on our case, web traffic managed by WSA covers employees and visitors.. for employees, the Self-Signed Certificate works fine and has been applied, via GPO, distributing certificates to extensions under MSFT AD. However, visitors are receiving the "invalid certificate message". Any tip on it?

 

We've been trying to generate a public SSL certificate using GoDaddy, and, no success. However, we're still trying to find a solution that visitors, using company WebAccess, can access HTTPS pages without receiving disturbing messages.

 

Any update? Any idea? take care and thanks.

Those visitors have to install the "root cert" that you're using.

Aimen Essayed
Level 1
Level 1

Thank you guys my main problem has been solved with the CA .

it turned out that the CA doesnt work well and need to be activated

 

Thank you so much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: