cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5119
Views
17
Helpful
14
Replies

WSA config load

cmazur
Level 1
Level 1

I am trying to load a configuration on my WSA appliance and I am receiving this error:

Error   -    Configuration File was not loaded. Parse Error on element "wga_config" line number 1090 column 15: Error in certificate validation: Signing key has expired.

I have loaded configs and the past and had No problems, can someone tell me what this msg means?

thanks

14 Replies 14

Tao Yang
Cisco Employee
Cisco Employee

It looks a duplicated thread of 

https://supportforums.cisco.com/discussion/13044706/wsa-config-load

Hi,

not able to open the link , i am having the same issue , what was done to resolve

any help highly appreciated

Cheers

The error advised that the signing certificate in the appliance has been expired.

You can check the expiry date of the certificate from your HTTPS proxy page (GUI -> Security Services -> HTTPS proxy)

Hello Handy

Thanks for your response

basically i am trying to restore the config from c160 to c170 box and stuck in WSA_config

What needs to done to bypass this error , the mentioned option is disabled ( https-proxy) in c160 config

cheers

Snl

Can you confirm the appliance is WSA or ESA since C160/C170 is Email security appliance not WSA.

Are you able to share the configuration file for me have a look.

Alternatively open TAC case for them to investigate which cert that showing as expired from the config file.

Hello Handy

its S160 wsa and we trying to migrate the xml config to S170 new rma box

sorry for the confusion

Thank you

snl

I think you are referring to S160 model for WSA since anything that has C in front of it is dedicated for Email Security Appliance (ESA) not WSA.

would suggest open a TAC case for the engineer to check which cert in the config file that showing as expired

You can also search the cert from the config file:

- Open the config file using XML editor

- Search for any cert keywords such as: generated_cert or secure_auth_cert or uploaded_cert

- copy the cert and use SSLshopper to help you decode the cert to see if its still valid:

https://www.sslshopper.com/certificate-decoder.html

- If its showing expired, you can replaced it or delete it if the certs are generated cert or uploaded cert or you can use the cert that you have from the replacement unit and paste it to the same section of the configuration file that you need to loads.

However still recommend to contact TAC for further assistance

Hello Handy

thanks for your kind support  , indeed cert expired

Certificate Information:
Common Name: IronPort Appliance Demo Certificate
Organization: IronPort Systems, Inc.
Locality: San Bruno
State: California
Country: US
Valid From: May 1, 2006
Valid To: May 1, 2016
Issuer: IronPort Appliance Demo Certificate, IronPort Systems, Inc.
Serial Number: 1 (0x1)

i may need to raise tac now

Regards

S

If you are confident, you can perform below:

- save the configuration file from the S170

- Go to the same section for that certificate from the S170 configuration file and check if the cert is valid.

- If its valid you can copy them (you will need to copy from the cert_name, the cert it self and the key) 

- Then paste them(in the exact section in the config file) to the existing configuration file that you want to upload

If not you can always open TAC case to get assistance

Strangely new s170 box also have same certificate which is expired :(

That is strange.

You will need TAC case for them to use their internal WSA appliances that are still valid and edited your configuration file.

TAC has been raised , its a bug CSCuh31504

I got the same problem and opened a TAC case.


The engineer told me to delete everything between those tags:
<prox_config_secure_auth_cert_name></prox_config_secure_auth_cert_name><prox_config_secure_auth_cert></prox_config_secure_auth_cert>
<prox_config_secure_auth_key></prox_config_secure_auth_key>

Loading the config into the appliance worked just fine.

You are not authorized to access this page. Trying to open 

https://supportforums.cisco.com/discussion/13044706/wsa-config-load