06-13-2016 07:02 AM
I am trying to load a configuration on my WSA appliance and I am receiving this error:
Error - Configuration File was not loaded. Parse Error on element "wga_config" line number 1090 column 15: Error in certificate validation: Signing key has expired.
I have loaded configs and the past and had No problems, can someone tell me what this msg means?
thanks
06-13-2016 05:29 PM
It looks a duplicated thread of
https://supportforums.cisco.com/discussion/13044706/wsa-config-load
06-25-2016 09:39 PM
Hi,
not able to open the link , i am having the same issue , what was done to resolve
any help highly appreciated
Cheers
06-25-2016 11:33 PM
The error advised that the signing certificate in the appliance has been expired.
You can check the expiry date of the certificate from your HTTPS proxy page (GUI -> Security Services -> HTTPS proxy)
06-26-2016 12:41 AM
Hello Handy
Thanks for your response
basically i am trying to restore the config from c160 to c170 box and stuck in WSA_config
What needs to done to bypass this error , the mentioned option is disabled ( https-proxy) in c160 config
cheers
Snl
06-26-2016 12:46 AM
Can you confirm the appliance is WSA or ESA since C160/C170 is Email security appliance not WSA.
Are you able to share the configuration file for me have a look.
Alternatively open TAC case for them to investigate which cert that showing as expired from the config file.
06-26-2016 01:27 AM
Hello Handy
its S160 wsa and we trying to migrate the xml config to S170 new rma box
sorry for the confusion
Thank you
snl
06-26-2016 01:32 AM
I think you are referring to S160 model for WSA since anything that has C in front of it is dedicated for Email Security Appliance (ESA) not WSA.
would suggest open a TAC case for the engineer to check which cert in the config file that showing as expired
You can also search the cert from the config file:
- Open the config file using XML editor
- Search for any cert keywords such as: generated_cert or secure_auth_cert or uploaded_cert
- copy the cert and use SSLshopper to help you decode the cert to see if its still valid:
https://www.sslshopper.com/certificate-decoder.html
- If its showing expired, you can replaced it or delete it if the certs are generated cert or uploaded cert or you can use the cert that you have from the replacement unit and paste it to the same section of the configuration file that you need to loads.
However still recommend to contact TAC for further assistance
06-26-2016 01:47 AM
Hello Handy
thanks for your kind support , indeed cert expired
i may need to raise tac now
Regards
S
06-26-2016 01:51 AM
If you are confident, you can perform below:
- save the configuration file from the S170
- Go to the same section for that certificate from the S170 configuration file and check if the cert is valid.
- If its valid you can copy them (you will need to copy from the cert_name, the cert it self and the key)
- Then paste them(in the exact section in the config file) to the existing configuration file that you want to upload
If not you can always open TAC case to get assistance
06-26-2016 02:05 AM
Strangely new s170 box also have same certificate which is expired :(
06-26-2016 02:08 AM
That is strange.
You will need TAC case for them to use their internal WSA appliances that are still valid and edited your configuration file.
06-26-2016 05:24 AM
TAC has been raised , its a bug CSCuh31504
07-05-2016 02:32 AM
I got the same problem and opened a TAC case.
The engineer told me to delete everything between those tags:
<prox_config_secure_auth_cert_name></prox_config_secure_auth_cert_name><prox_config_secure_auth_cert></prox_config_secure_auth_cert>
<prox_config_secure_auth_key></prox_config_secure_auth_key>
Loading the config into the appliance worked just fine.
08-01-2016 08:49 AM
You are not authorized to access this page. Trying to open
https://supportforums.cisco.com/discussion/13044706/wsa-config-load
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide