I’ve been working on a Cisco IronPort WSA deployment for the past few weeks and I’ve noticed the documentation available from various sources (Cisco’s docs, Google, etc.) is pretty sparse. Most of the functionality is pretty easy to figure out, but I did notice that the documentation for configuring the management certificate and the HTTPS proxy certificate was lacking. So, here’s a quick guide for getting the certificates issued (from a MS CA) and installed on the WSA.

Assumptions

For the purposes of the blog post, I’m going to assume that your MS CA is properly configured for certificate enrollment. Additionally, I’m going to use the following placeholder hostnames:

• IronPort Web Security Appliance = wsa


• MS CA web enrollment server = certauthor

Microsoft CA Templates

Regardless of how your certificate authority is setup, you should have some default certificate templates. The templates that we’re concerned with (and that I assume are setup properly) are:

• Subordinate Certificate Authority – used for the HTTPS proxy
• Web Server – used for securing web management sessions (and optionally encrypted authentication)

There are scenarios where installing these certificates might not be required, but my assumption is that you want to get both the management certificate and HTTPS proxy certificate installed.

Provisioning Certificates

There are numerous ways to created private keys, certificate requests, and get them signed by the CA. However, I’ve found that the easiest way is by using the OpenSSL toolkit (get it
here). This section will show you how to generate the private keys/CSRs, submit them to the CA, and install them into the WSA.

Generating Private Keys and CSRs

The following are the commands are used to generate the private keys and CSRs we need for the CA:

Web Server Certificate openssl genrsa -out web.key 1024 openssl req -new -out web.csr -key web.key Subordinate CA Certificate openssl genrsa -out sub-ca.key 1024 openssl req -new -out sub-ca.csr -key sub-ca.key

Fig 1. OpenSSL Commands

Submitting the CSRs

In preparation for submitting the CSR to the CA you will want to have the .csrfiles (generated earlier) open in your favorite text editor. Then, you need to complete the following steps:

a. Navigate to https://certauthor/certsrv which will bring you to the following web page:

Fig 2. CSR – Step 1

b. Click the Request a certificate link which will bring you to the following web page:

Fig 3. CSR – Step 2

c. Click the Submit a certificate request by using a base-64-encoded… link which will bring you to the following page:

Fig 4. CSR – Step 3

d. Paste the contents of the web.csr file into the field labeled Base-64-encoded certificate request.

e. Select the Web Server certificate template.

f. Click Submit > and, depending on your CA settings, you will be taken to a page that will allow you to download the certificate.

g. Select the DER format and save the certificate with your .key and .csr files

h. Repeat steps a through g for the sub-ca.csr using the Subordinate Certificate Authority template instead.

Converting DER to PEM

Now that we have the signed certificates from the CA, we’re ready to convert them from the DER format to the PEM format (the WSA expects the PEM format). To do that we’ll need to go back to the command line a run a few more commands:

Web Server Conversion openssl x509 -inform der -in web.cer -out web.pem Subordinate CA Conversion openssl x509 -inform der -in sub-ca.cer -out sub-ca.pem

Fig 5. DER to PEM

That’s it as far as the certificate provisioning is concerned. Next we’ll be importing the certificates into the WSA appliance for use.

Installing the Certificates

Management Certificate

The installation of the management certificate is pretty simple. The process goes like this:

1. Log into your WSA via SSH

2. Type certconfig and press return

3. Type setup and press return

4. Type Y to confirm that you want to continue and press return

5. 
   

   You will be prompted to “ paste cert in PEM format (end with ‘.’):“

6. Paste the contents of the web.pem file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time

7. You will be prompted to “ paste key in PEM format (end with ‘.’):“

8. Paste the contents of the web.key file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time

9. You can then commit the changes to complete the configuration for the management interface

HTTPS Proxy Certificate

The installation of the HTTPS proxy certificate is done through the web management interface located at https://wsa:8443. Once logged into the WSA web management interface, you will need to do the following:

1. Navigate to Security Services > HTTPS Proxy

2. Click the Edit Settings… button for the HTTPS Proxy Settings section (located just above the Certificate Lists)

3. Ensure the Enable HTTPS Proxy is checked

4. Click the Use Uploaded Certificate and Key radio button

5. Click the Choose File button next to the Certificate label

6. Select the sub-ca.pem file that you generated earlier and click Open

7. Click the Choose File button next to the Key label

8. Select the sub-ca.key
   file that you generated earlier and click Open

9. Click Submit at the bottom of the page

10. Commit your changes

After you’ve committed your changes (assuming no errors) you will have completely setup both the Management Certificate and the HTTPS Proxy Certificate. That’s it — if you have any questions or comments please feel free to leave a message below.