11-10-2014 04:19 AM
we have 3 domain controllers with only 1 certificate authority where users should use it for ssl encryption , but end user devices ignore the CA and use the other public CAs instead .
also i couldn't enforce the end users through the GPO in the active directory to use only the CA certificate !
or even the Ironport port's certificate.
im done with the Ironport configuration and made it join into the domain.everything works fine on the Ironport.
i have noticed that the CA server is not active !can any help me please im not sure what to do ?i need to make users use either wsa certificate or the ca certificate thanks .!
11-10-2014 07:07 AM
First a couple of things to clear up some misperceptions:
Clients don't "use" the CA, YOU use the CA to issue a cert that the clients trust. If your CA is an "Enterprise" CA, your clients will already trust certs it issues.
Depending upon how the WSA is configured, not all transactions use the cert on the WSA. For example, you may not decrypt sites with high reputation, so you'll see the sites own cert in that case.
So first off determine if your CA is an Enterprise CA: Open the Certificate Authority MMC, if you see the "Certificate Templates" node, its an Enterprise CA.
Is it an Enterprise CA?
Did you issue a cert from you CA and put it on your WSA?
11-10-2014 11:59 PM
first thank you so much for your help :)
and yes its an Enterprise CA and i did issue a certificate from the ca and uploaded it into the wsa with its
private key PEM format .
but even tho the clients still dont trust it ! you should get " Verified by your CA " up on the browser .i dont get that at all !
what i know is that clients should trust the CA certificate automatically as long as they are joined the domain .
any ideas ?
11-11-2014 07:02 AM
I just went thru this same thing recently by creating a 2048 certificate using OpenSSL and submitting the req to our Enterprise CA, then uploading the cert and the key to the Ironport.
One question I would have is what option did you select under Security Services/https proxy, edit settings for HTTPS Proxy settings and under Root Certificate for Signing. Did you select the option " use uploaded certificate and key" or did you use "use generated certificate and key" ?
Both allow you to upload a cert but the second option I think will require you to import the certificate on the client PCs while the first option will trust the certificate (Chrome or IE, but not on Firefox) as long as it is a domain PC.
I followed the instruction here and found them very helpful:
https://supportforums.cisco.com/discussion/11804801/2048-bit-key-ironport-wsa-https-proxy
11-11-2014 10:12 PM
Thanks for your help .
I went with the option "used uploaded certificate and key "
i used the Open SSL to get the private key from the certificate , converted both to .PEM
and after that i did upload them into the WSA
11-20-2014 12:52 AM
Kindly please follow the below link you will get successfully certificate import.
Cisco IronPort WSA: Configuring management and HTTPS proxy certificates
11-12-2014 12:54 PM
not solved though , my main problem is with the Certificate authority it self ! not with the WSA
windows machine don't trust the CA still
05-11-2015 08:54 AM
I have also used OpenSSL to generate my CSR and key, I submitted the CSR to my CA and they issue the signed cert back. I have been unable to load this cert and key into the WSA. It keeps telling me that this is a server certificate a signing certificate is required. I have been unable to get this to work or use any certificate that I generate. The only certificate and key that is seems to use is the one created by the WSA, which is rather weak on its cipher and options. I require a 2048-bit and SHA2(56) cert at a minimum for my environment. Any help is appreciated.
Thanks
Dominick
05-11-2015 09:29 AM
buying a server cert from a public CA for a few hundred dollars won't work. You need a cert that can sign other certs. For every https site you access through the WSA the WSA generates a cert for the transaction between the client and the WSA. A server cert can't do that ...
Youre asking your CA to provide you with a cert to sign certs that the rest of the world would trust... (e.g. because youre expecting your workstations to already trust these certs) .
Tell me a bit about your 100000 seats? All WIndows? Mac? *nix?
If Windows, 1 domain? multiple? Do you have an internal CA?
05-11-2015 09:41 AM
Mostly Windows. Multiple domains. We do not have any internal CA's anymore. We use a public CA and preinstall the necessary certificates on all workstations when they are built. Any updates are done by GPO and they are limited. I am trying to take advantage of the public certificate that has been signed and issue on our behalf from our CA, in this instance it is Comodo. If we still had the internal PKI servers we could get around the issue but that does not exist anymore.
04-26-2018 08:13 AM
Hi Ken,
on our case, web traffic managed by WSA covers employees and visitors.. for employees, the Self-Signed Certificate works fine and has been applied, via GPO, distributing certificates to extensions under MSFT AD. However, visitors are receiving the "invalid certificate message". Any tip on it?
We've been trying to generate a public SSL certificate using GoDaddy, and, no success. However, we're still trying to find a solution that visitors, using company WebAccess, can access HTTPS pages without receiving disturbing messages.
Any update? Any idea? take care and thanks.
04-26-2018 08:21 AM
Those visitors have to install the "root cert" that you're using.
11-16-2014 11:34 PM
Thank you guys my main problem has been solved with the CA .
it turned out that the CA doesnt work well and need to be activated
Thank you so much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide