cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
303
Views
0
Helpful
12
Replies
Highlighted
Beginner

WSA Issue: Error - Certificate signature verification failed.

Hi Guys

 

i am getting following error while uploading signed certificate on WSA for HTTPS proxy.

 

Error - Certificate signature verification failed. For the certificate 'XXXdomain.com

 

WSA S190

AsyncOS  11.7.0-407 

 

is there any solution for this issue

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

A server cert from GoDaddy WILL NOT WORK for this, wild card or not.



You can still load the GoDaddy Root certs which should have come with this cert into your WSA...

You'll then get the same "can't use a server cert" error...



The WSA generates a "spoofed" cert for each website you visit, so the cert it uses has to be a signing cert. Public CAs won't sell you a signing cert for web sites...




Cisco Employee

Re: WSA Issue: Error - Certificate signature verification failed.

Hi,

Please see below for article on what certificate that WSA needed for HTTPS:

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117792-technote-wsa-00.html

 

You can also check the certificate whether it is server certificate or root certificate using the openssl command:

To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.

 

The openssl command to check this:

 

openssl x509 -text -in <certificate file>

 

Below is an example of the output from openssl command for Root certificate (CA):

Certificate:

    Data&colon;

        Version: 3 (0x2)

        Serial Number:

            xx:xx:xx:xx:xx:xx:xx:xx

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=AU, O=cisco, OU=cisco, CN=cisco

        Validity

            Not Before: Jun 18 03:29:30 2015 GMT

            Not After : Jun 18 03:29:30 2016 GMT

        Subject: C=AU, O=cisco, OU=cisco, CN=cisco

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

 

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                xx:xx:xx:xx:xx:xx:xx:xx

            X509v3 Authority Key Identifier:

                keyid:xx:xx:xx:xx:xx:xx:xx:xx

                DirName:/C=AU/O=cisco/OU=cisco/CN=cisco

                serial:xx:xx:xx:xx:xx:xx:xx:xx

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

 

From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.

 

Below is an example of the output from openssl command for Server certificate:

Certificate:

    Data&colon;

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

        Validity

            Not Before: Mar 16 23:58:17 2012 GMT

            Not After : Mar 17 23:58:17 2022 GMT

        Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                xx:xx:xx:xx:xx:xx:xx:xx

            X509v3 Authority Key Identifier:

                DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate

                serial:xx:xx:xx:xx:xx:xx:xx:xx

 

    Signature Algorithm: sha1WithRSAEncryption

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

12 REPLIES 12
Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

What kind of cert is it? Where did you get it?


Beginner

Re: WSA Issue: Error - Certificate signature verification failed.

Hi Ken

i generated Self signed certificate on WSA and then downloaded the CSR and send it to CA and then they signed it and send me back but when i tried to upload back on WSA then its giving this error.
Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

So if you sent to to a public CA. This wont work.... they are going to sell you a server cert, not a signing cert.


If you used a private CA (eg you run it) you just need to load the intermediate and root cert as well.
Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

Just a clarification: 

If you did this from your own CA, you just have to load your root onto the device under Network/Certificate Management, click the button near the bottom “Managed Trusted Root Certificates…” and import yours to the “Custom Trusted Root Certificates” list.

Beginner

Re: WSA Issue: Error - Certificate signature verification failed.

Hi ken,

Its public CA Godaddy.
last time when we used wildcard certificate then wsa gave error that we are using server certificate so it did not accepted but this time we generated csr from wsa and got signed from public CA. But this time its not giving server certificate error but instead its very different error.

Ia there any way that i can find that the certificate we received is server certificate and not the root certificate ?

When we used wildcard then wsa told we are using a server certificate but this time error is diferrent.

Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

A server cert from GoDaddy WILL NOT WORK for this, wild card or not.



You can still load the GoDaddy Root certs which should have come with this cert into your WSA...

You'll then get the same "can't use a server cert" error...



The WSA generates a "spoofed" cert for each website you visit, so the cert it uses has to be a signing cert. Public CAs won't sell you a signing cert for web sites...




Cisco Employee

Re: WSA Issue: Error - Certificate signature verification failed.

Hi,

Please see below for article on what certificate that WSA needed for HTTPS:

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117792-technote-wsa-00.html

 

You can also check the certificate whether it is server certificate or root certificate using the openssl command:

To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.

 

The openssl command to check this:

 

openssl x509 -text -in <certificate file>

 

Below is an example of the output from openssl command for Root certificate (CA):

Certificate:

    Data&colon;

        Version: 3 (0x2)

        Serial Number:

            xx:xx:xx:xx:xx:xx:xx:xx

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=AU, O=cisco, OU=cisco, CN=cisco

        Validity

            Not Before: Jun 18 03:29:30 2015 GMT

            Not After : Jun 18 03:29:30 2016 GMT

        Subject: C=AU, O=cisco, OU=cisco, CN=cisco

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

 

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                xx:xx:xx:xx:xx:xx:xx:xx

            X509v3 Authority Key Identifier:

                keyid:xx:xx:xx:xx:xx:xx:xx:xx

                DirName:/C=AU/O=cisco/OU=cisco/CN=cisco

                serial:xx:xx:xx:xx:xx:xx:xx:xx

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

 

From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.

 

Below is an example of the output from openssl command for Server certificate:

Certificate:

    Data&colon;

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

        Validity

            Not Before: Mar 16 23:58:17 2012 GMT

            Not After : Mar 17 23:58:17 2022 GMT

        Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                xx:xx:xx:xx:xx:xx:xx:xx

            X509v3 Authority Key Identifier:

                DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate

                serial:xx:xx:xx:xx:xx:xx:xx:xx

 

    Signature Algorithm: sha1WithRSAEncryption

                  xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

Beginner

Re: WSA Issue: Error - Certificate signature verification failed.

Hi Handy,

we dont have any internal root CA and we want https decryption for all domain and Guest Users.

i know by using Group Policy we can push WSA self signed certificate to Domain Users but we cannot do it for Guest Users.

is there any way that we can achieve Guest Users/non domain Users https Decryption via WSA ? any solution for it ?
Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

Not one that anyone likes...



I sat down at Cisco Live last week with a Technical Marketing Engineer, a product manager, and a development manager, and this topic came up.

You have to make the root cert available to be downloaded somehow... I pitched making it available via the WSA, sort of like PAC hosting, with a link in an End User Notification or Acknowledgement message.



Ken


Beginner

Re: WSA Issue: Error - Certificate signature verification failed.

Hi ken,

This are good suggestions, do u think should i open tac case with cisco for this.
Its customer requirment and we have to fulfil this.

Beginner

Re: WSA Issue: Error - Certificate signature verification failed.

Hi Ken,

 

is there any way we can do this for Guest same like PAC file via DHCP/GP ?

 

so guest should download it when they connect automatically or there browser download it automatically before proceeding.

Collaborator

Re: WSA Issue: Error - Certificate signature verification failed.

At the moment, I dont think there is a way to do it automatically, unless guests join your MDM.

Download/install via dhcp or something similar is probably too dangerous.

But a link on a guest portal may make sense...