Solved: Re: WSA Issue: Error - Certificate signature verification failed.

hashimwajid1 · ‎06-17-2019

Hi Guys

i am getting following error while uploading signed certificate on WSA for HTTPS proxy.

Error - Certificate signature verification failed. For the certificate 'XXXdomain.com

WSA S190

AsyncOS 11.7.0-407

is there any solution for this issue

Ken Stieers · ‎06-17-2019

A server cert from GoDaddy WILL NOT WORK for this, wild card or not.

You can still load the GoDaddy Root certs which should have come with this cert into your WSA...

You'll then get the same "can't use a server cert" error...

The WSA generates a "spoofed" cert for each website you visit, so the cert it uses has to be a signing cert. Public CAs won't sell you a signing cert for web sites...

View solution in original post

Handy Putra · ‎06-17-2019

Hi,

Please see below for article on what certificate that WSA needed for HTTPS:

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117792-technote-wsa-00.html

You can also check the certificate whether it is server certificate or root certificate using the openssl command:

To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.

The openssl command to check this:

openssl x509 -text -in <certificate file>

Below is an example of the output from openssl command for Root certificate (CA):

Certificate:

Data&colon;

Version: 3 (0x2)

Serial Number:

xx:xx:xx:xx:xx:xx:xx:xx

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=AU, O=cisco, OU=cisco, CN=cisco

Validity

Not Before: Jun 18 03:29:30 2015 GMT

Not After : Jun 18 03:29:30 2016 GMT

Subject: C=AU, O=cisco, OU=cisco, CN=cisco

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Modulus (2048 bit):

xx:xx:xx:xx:xx:xx:xx:xx

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Authority Key Identifier:

keyid:xx:xx:xx:xx:xx:xx:xx:xx

DirName:/C=AU/O=cisco/OU=cisco/CN=cisco

serial:xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.

Below is an example of the output from openssl command for Server certificate:

Certificate:

Data&colon;

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

Validity

Not Before: Mar 16 23:58:17 2012 GMT

Not After : Mar 17 23:58:17 2022 GMT

Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

xx:xx:xx:xx:xx:xx:xx:xx

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Authority Key Identifier:

DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate

serial:xx:xx:xx:xx:xx:xx:xx:xx

Signature Algorithm: sha1WithRSAEncryption

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

View solution in original post

Ken Stieers · ‎06-17-2019

What kind of cert is it? Where did you get it?

hashimwajid1 · ‎06-17-2019

Hi Ken

i generated Self signed certificate on WSA and then downloaded the CSR and send it to CA and then they signed it and send me back but when i tried to upload back on WSA then its giving this error.

Ken Stieers · ‎06-17-2019

So if you sent to to a public CA. This wont work.... they are going to sell you a server cert, not a signing cert.

If you used a private CA (eg you run it) you just need to load the intermediate and root cert as well.

Ken Stieers · ‎06-17-2019

Just a clarification:

If you did this from your own CA, you just have to load your root onto the device under Network/Certificate Management, click the button near the bottom “Managed Trusted Root Certificates…” and import yours to the “Custom Trusted Root Certificates” list.

hashimwajid1 · ‎06-17-2019

Hi ken,

Its public CA Godaddy.
last time when we used wildcard certificate then wsa gave error that we are using server certificate so it did not accepted but this time we generated csr from wsa and got signed from public CA. But this time its not giving server certificate error but instead its very different error.

Ia there any way that i can find that the certificate we received is server certificate and not the root certificate ?

When we used wildcard then wsa told we are using a server certificate but this time error is diferrent.

Ken Stieers · ‎06-17-2019

A server cert from GoDaddy WILL NOT WORK for this, wild card or not.

You can still load the GoDaddy Root certs which should have come with this cert into your WSA...

You'll then get the same "can't use a server cert" error...

The WSA generates a "spoofed" cert for each website you visit, so the cert it uses has to be a signing cert. Public CAs won't sell you a signing cert for web sites...

Handy Putra · ‎06-17-2019

Hi,

Please see below for article on what certificate that WSA needed for HTTPS:

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117792-technote-wsa-00.html

You can also check the certificate whether it is server certificate or root certificate using the openssl command:

To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.

The openssl command to check this:

openssl x509 -text -in <certificate file>

Below is an example of the output from openssl command for Root certificate (CA):

Certificate:

Data&colon;

Version: 3 (0x2)

Serial Number:

xx:xx:xx:xx:xx:xx:xx:xx

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=AU, O=cisco, OU=cisco, CN=cisco

Validity

Not Before: Jun 18 03:29:30 2015 GMT

Not After : Jun 18 03:29:30 2016 GMT

Subject: C=AU, O=cisco, OU=cisco, CN=cisco

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Modulus (2048 bit):

xx:xx:xx:xx:xx:xx:xx:xx

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Authority Key Identifier:

keyid:xx:xx:xx:xx:xx:xx:xx:xx

DirName:/C=AU/O=cisco/OU=cisco/CN=cisco

serial:xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.

Below is an example of the output from openssl command for Server certificate:

Certificate:

Data&colon;

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

Validity

Not Before: Mar 16 23:58:17 2012 GMT

Not After : Mar 17 23:58:17 2022 GMT

Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

xx:xx:xx:xx:xx:xx:xx:xx

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Authority Key Identifier:

DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate

serial:xx:xx:xx:xx:xx:xx:xx:xx

Signature Algorithm: sha1WithRSAEncryption

xx:xx:xx:xx:xx:xx:xx:xx

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

hashimwajid1 · ‎06-17-2019

Hi Handy,

we dont have any internal root CA and we want https decryption for all domain and Guest Users.

i know by using Group Policy we can push WSA self signed certificate to Domain Users but we cannot do it for Guest Users.

is there any way that we can achieve Guest Users/non domain Users https Decryption via WSA ? any solution for it ?

Ken Stieers · ‎06-17-2019

Not one that anyone likes...

I sat down at Cisco Live last week with a Technical Marketing Engineer, a product manager, and a development manager, and this topic came up.

You have to make the root cert available to be downloaded somehow... I pitched making it available via the WSA, sort of like PAC hosting, with a link in an End User Notification or Acknowledgement message.

Ken

hashimwajid1 · ‎06-17-2019

Hi ken,

This are good suggestions, do u think should i open tac case with cisco for this.
Its customer requirment and we have to fulfil this.

hashimwajid1 · ‎06-19-2019

Hi Ken,

is there any way we can do this for Guest same like PAC file via DHCP/GP ?

so guest should download it when they connect automatically or there browser download it automatically before proceeding.

Ken Stieers · ‎06-20-2019

At the moment, I dont think there is a way to do it automatically, unless guests join your MDM.

Download/install via dhcp or something similar is probably too dangerous.

But a link on a guest portal may make sense...