06-17-2019 03:38 AM
Hi Guys
i am getting following error while uploading signed certificate on WSA for HTTPS proxy.
Error - Certificate signature verification failed. For the certificate 'XXXdomain.com
WSA S190
AsyncOS 11.7.0-407
is there any solution for this issue
Solved! Go to Solution.
06-17-2019 10:03 AM
06-17-2019 12:43 PM
Hi,
Please see below for article on what certificate that WSA needed for HTTPS:
You can also check the certificate whether it is server certificate or root certificate using the openssl command:
To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.
The openssl command to check this:
openssl x509 -text -in <certificate file>
Below is an example of the output from openssl command for Root certificate (CA):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, O=cisco, OU=cisco, CN=cisco
Validity
Not Before: Jun 18 03:29:30 2015 GMT
Not After : Jun 18 03:29:30 2016 GMT
Subject: C=AU, O=cisco, OU=cisco, CN=cisco
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Authority Key Identifier:
keyid:xx:xx:xx:xx:xx:xx:xx:xx
DirName:/C=AU/O=cisco/OU=cisco/CN=cisco
serial:xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.
Below is an example of the output from openssl command for Server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate
Validity
Not Before: Mar 16 23:58:17 2012 GMT
Not After : Mar 17 23:58:17 2022 GMT
Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Authority Key Identifier:
DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate
serial:xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha1WithRSAEncryption
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
06-17-2019 04:29 AM
06-17-2019 05:43 AM
06-17-2019 06:24 AM
06-17-2019 07:02 AM
Just a clarification:
If you did this from your own CA, you just have to load your root onto the device under Network/Certificate Management, click the button near the bottom “Managed Trusted Root Certificates…” and import yours to the “Custom Trusted Root Certificates” list.
06-17-2019 07:39 AM
06-17-2019 10:03 AM
06-17-2019 12:43 PM
Hi,
Please see below for article on what certificate that WSA needed for HTTPS:
You can also check the certificate whether it is server certificate or root certificate using the openssl command:
To identify the certificate whether it is a Root certificate or Certificate Authority (CA), you can use openssl command to check the certificate file.
The openssl command to check this:
openssl x509 -text -in <certificate file>
Below is an example of the output from openssl command for Root certificate (CA):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, O=cisco, OU=cisco, CN=cisco
Validity
Not Before: Jun 18 03:29:30 2015 GMT
Not After : Jun 18 03:29:30 2016 GMT
Subject: C=AU, O=cisco, OU=cisco, CN=cisco
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Authority Key Identifier:
keyid:xx:xx:xx:xx:xx:xx:xx:xx
DirName:/C=AU/O=cisco/OU=cisco/CN=cisco
serial:xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
From the above output, to identify that the certificate is a Root certificate, look for "Basic Constraints" and make sure that the CA:True for a Root certificate.
Below is an example of the output from openssl command for Server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate
Validity
Not Before: Mar 16 23:58:17 2012 GMT
Not After : Mar 17 23:58:17 2022 GMT
Subject: C=US, ST=California, L=San Bruno, O=Cisco IronPort Systems, Inc., CN=Cisco IronPort Appliance Demo Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Authority Key Identifier:
DirName:/C=US/ST=California/L=San Bruno/O=Cisco IronPort Systems, Inc./CN=Cisco IronPort Appliance Demo Certificate
serial:xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha1WithRSAEncryption
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
xx:xx:xx:xx:xx:xx:xx:xx
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
06-17-2019 01:17 PM
06-17-2019 01:56 PM
06-17-2019 02:35 PM
06-19-2019 11:57 PM
Hi Ken,
is there any way we can do this for Guest same like PAC file via DHCP/GP ?
so guest should download it when they connect automatically or there browser download it automatically before proceeding.
06-20-2019 03:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide