cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2098
Views
17
Helpful
14
Replies
Highlighted
Beginner

WSA config load

I am trying to load a configuration on my WSA appliance and I am receiving this error:

Error   -    Configuration File was not loaded. Parse Error on element "wga_config" line number 1090 column 15: Error in certificate validation: Signing key has expired.

I have loaded configs and the past and had No problems, can someone tell me what this msg means?

thanks

14 REPLIES 14
Cisco Employee

It looks a duplicated thread

It looks a duplicated thread of 

https://supportforums.cisco.com/discussion/13044706/wsa-config-load

Beginner

Hi,

Hi,

not able to open the link , i am having the same issue , what was done to resolve

any help highly appreciated

Cheers

Cisco Employee

The error advised that the

The error advised that the signing certificate in the appliance has been expired.

You can check the expiry date of the certificate from your HTTPS proxy page (GUI -> Security Services -> HTTPS proxy)

Beginner

Hello Handy

Hello Handy

Thanks for your response

basically i am trying to restore the config from c160 to c170 box and stuck in WSA_config

What needs to done to bypass this error , the mentioned option is disabled ( https-proxy) in c160 config

cheers

Snl

Cisco Employee

Can you confirm the appliance

Can you confirm the appliance is WSA or ESA since C160/C170 is Email security appliance not WSA.

Are you able to share the configuration file for me have a look.

Alternatively open TAC case for them to investigate which cert that showing as expired from the config file.

Beginner

Hello Handy

Hello Handy

its S160 wsa and we trying to migrate the xml config to S170 new rma box

sorry for the confusion

Thank you

snl

Cisco Employee

I think you are referring to

I think you are referring to S160 model for WSA since anything that has C in front of it is dedicated for Email Security Appliance (ESA) not WSA.

would suggest open a TAC case for the engineer to check which cert in the config file that showing as expired

You can also search the cert from the config file:

- Open the config file using XML editor

- Search for any cert keywords such as: generated_cert or secure_auth_cert or uploaded_cert

- copy the cert and use SSLshopper to help you decode the cert to see if its still valid:

https://www.sslshopper.com/certificate-decoder.html

- If its showing expired, you can replaced it or delete it if the certs are generated cert or uploaded cert or you can use the cert that you have from the replacement unit and paste it to the same section of the configuration file that you need to loads.

However still recommend to contact TAC for further assistance

Beginner

Hello Handy

Hello Handy

thanks for your kind support  , indeed cert expired

Certificate Information:
Common Name: IronPort Appliance Demo Certificate
Organization: IronPort Systems, Inc.
Locality: San Bruno
State: California
Country: US
Valid From: May 1, 2006
Valid To: May 1, 2016
Issuer: IronPort Appliance Demo Certificate, IronPort Systems, Inc.
Serial Number: 1 (0x1)

i may need to raise tac now

Regards

S

Cisco Employee

If you are confident, you can

If you are confident, you can perform below:

- save the configuration file from the S170

- Go to the same section for that certificate from the S170 configuration file and check if the cert is valid.

- If its valid you can copy them (you will need to copy from the cert_name, the cert it self and the key) 

- Then paste them(in the exact section in the config file) to the existing configuration file that you want to upload

If not you can always open TAC case to get assistance

Beginner

Strangely new s170 box also

Strangely new s170 box also have same certificate which is expired :(

Cisco Employee

That is strange.

That is strange.

You will need TAC case for them to use their internal WSA appliances that are still valid and edited your configuration file.

Beginner

TAC has been raised , its a

TAC has been raised , its a bug CSCuh31504

Beginner

I got the same problem and

I got the same problem and opened a TAC case.


The engineer told me to delete everything between those tags:
<prox_config_secure_auth_cert_name></prox_config_secure_auth_cert_name><prox_config_secure_auth_cert></prox_config_secure_auth_cert>
<prox_config_secure_auth_key></prox_config_secure_auth_key>

Loading the config into the appliance worked just fine.

You are not authorized to

You are not authorized to access this page. Trying to open 

https://supportforums.cisco.com/discussion/13044706/wsa-config-load