Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2243
Views
0
Helpful
3
Replies

WSA Certificate Private Key

Tim Glen
Cisco Employee
Cisco Employee

‎04-04-2017 01:07 PM

Hi,

I want to enable HTTPS proxy in the WSA but management at my employer needs some reassurance.

We know that the WSA has a Private Key Certificate that it uses to sign and re-encrypt the HTTPS traffic it sends back to the clients browser.

I’ve found that Private Key Certificate in the WSA XML backup file, however, I cant do anything with it because its password protected. Management wants reassurance that the password for that Private Key is not in any documentation, or in the XML backup or anywhere public.

Are there any official doc’s that state this password is known by Cisco (obviously) but never to be given out to customers or regular folks like me?

I have a TAC case open but the engineers don’t believe anything official exists.

Thanks!

Tim

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎04-04-2017 01:14 PM

I have never seen anything related to that, and you may very well be the first one to ask... but I'm not Cisco...

Honestly, if this is a concern, the right thing to do is go to your internal CA, and issue a Subordinate CA cert and install it on the WSA.  Then you'll know what the password for the cert key is, an no-one else will...   Presumably your workstations already trust your CA, so that issue goes away too...

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎04-04-2017 01:40 PM

Hi Ken,

Thanks for the response.   I have a TAC case open but I'm not sure where it's going either so I felt it prudent to ask here too.

It is a concern,  management is very security conscious.  If there is no 'official doc' then that's ok, I know the Private Key is password protected, and I don't know and cant find the password,  I can convey that to management.  However, if there is some official doc it would be easier.  

Thanks!

Tim

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee

‎04-06-2017 01:22 PM

This is what I've learned from poking around and asking questions.

  • I was able to extract the Private \ Public Key pair used for decryption from an XML backup. 
  • I was able to view the Public Key using openssl.
  • I was not able to view the Private Key using openssl because it is password protected. I attempted to view it using several (dozens) of common passwords and all my attempts were unsuccessful. 


TAC has informed me that:

  • The password for the Private key is never stored in the XML configuration backup. 
  • The password for the Private key is stored in a protected area of the OS that is not accessible by the WSA administrator or TAC.
  • The password for the Private key is random (never the same on different WSAs) and is generated at the time the administrator generates the self-signed certificate. 
  • In the event that there is hardware failure or VM corruption a new self-signed certificate will need to be generated and propagated to end users as there is no way to move the keys to the new WSA. 

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Top