I’ve been working on a Cisco IronPort WSA deployment for the past few weeks and I’ve noticed the documentation available from various sources (Cisco’s docs, Google, etc.) is pretty sparse. Most of the functionality is pretty easy to figure out, but I did notice that the documentation for configuring the management certificate and the HTTPS proxy certificate was lacking. So, here’s a quick guide for getting the certificates issued (from a MS CA) and installed on the WSA.
Assumptions
For the purposes of the blog post, I’m going to assume that your MS CA is properly configured for certificate enrollment. Additionally, I’m going to use the following placeholder hostnames:
- IronPort Web Security Appliance = wsa
- MS CA web enrollment server = certauthor
Microsoft CA Templates
Regardless of how your certificate authority is setup, you should have some default certificate templates. The templates that we’re concerned with (and that I assume are setup properly) are:
- Subordinate Certificate Authority – used for the HTTPS proxy
- Web Server – used for securing web management sessions (and optionally encrypted authentication)
There are scenarios where installing these certificates might not be required, but my assumption is that you want to get both the management certificate and HTTPS proxy certificate installed.
Provisioning Certificates
There are numerous ways to created private keys, certificate requests, and get them signed by the CA. However, I’ve found that the easiest way is by using the OpenSSL toolkit (get it
here). This section will show you how to generate the private keys/CSRs, submit them to the CA, and install them into the WSA.
Generating Private Keys and CSRs
The following are the commands are used to generate the private keys and CSRs we need for the CA:
Web Server Certificate |
Submitting the CSRs
In preparation for submitting the CSR to the CA you will want to have the .csrfiles (generated earlier) open in your favorite text editor. Then, you need to complete the following steps:
a. Navigate to https://certauthor/certsrv which will bring you to the following web page:
b. Click the Request a certificate link which will bring you to the following web page:
c. Click the Submit a certificate request by using a base-64-encoded… link which will bring you to the following page:
d. Paste the contents of the web.csr file into the field labeled Base-64-encoded certificate request.
e. Select the Web Server certificate template.
f. Click Submit > and, depending on your CA settings, you will be taken to a page that will allow you to download the certificate.
g. Select the DER format and save the certificate with your .key and .csr files
h. Repeat steps a through g for the sub-ca.csr using the Subordinate Certificate Authority template instead.
Converting DER to PEM
Now that we have the signed certificates from the CA, we’re ready to convert them from the DER format to the PEM format (the WSA expects the PEM format). To do that we’ll need to go back to the command line a run a few more commands:
Web Server Conversion |
That’s it as far as the certificate provisioning is concerned. Next we’ll be importing the certificates into the WSA appliance for use.
Installing the Certificates
Management Certificate
The installation of the management certificate is pretty simple. The process goes like this:
- Log into your WSA via SSH
Type certconfig and press return
Type setup and press return
Type Y to confirm that you want to continue and press return
You will be prompted to “ paste cert in PEM format (end with ‘.’):“
Paste the contents of the web.pem file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time
You will be prompted to “ paste key in PEM format (end with ‘.’):“
Paste the contents of the web.key file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time
You can then commit the changes to complete the configuration for the management interface
HTTPS Proxy Certificate
The installation of the HTTPS proxy certificate is done through the web management interface located at https://wsa:8443. Once logged into the WSA web management interface, you will need to do the following:
- Navigate to Security Services > HTTPS Proxy
Click the Edit Settings… button for the HTTPS Proxy Settings section (located just above the Certificate Lists)
Ensure the Enable HTTPS Proxy is checked
Click the Use Uploaded Certificate and Key radio button
Click the Choose File button next to the Certificate label
Select the sub-ca.pem file that you generated earlier and click Open
Click the Choose File button next to the Key label
Select the sub-ca.key
file that you generated earlier and click OpenClick Submit at the bottom of the page
10. Commit your changes
After you’ve committed your changes (assuming no errors) you will have completely setup both the Management Certificate and the HTTPS Proxy Certificate. That’s it — if you have any questions or comments please feel free to leave a message below.