Request Sub-CA-Certificate for Ironport WSA

Similar Messages

• Using PowerShell to request a public certificate for webconf. What type should I specify

  Using the PowerShell command below to request a certificate for webconf.domain.com on the Edge. There are at least a dozen "types" I can specify. I was thinking WebServicesExternal but maybe AccessEdgeExternal?? Not sure what to use or if it even
  makes a difference.
  Request-CsCertificate -New –Type WebServicesExternal -ComputerFqdn "edgeserver.domain.com" 
  -FriendlyName "Web Conferencing" –Organization etc......-PrivateKeyExportable $True –DomainName webconf.domain.com –output c:\webconf.txt

  Type will be AccessEdgeExternal and command will be as followingRequest-CsCertificate -New -Type AccessEdgeExternal -Output C:\ <certfilename.txt or certfilename.csr> -ClientEku $true -Template <template name>
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Request Smartcard Logon certificates for more than 2 years from Certificate Authority

  Dear all,
  I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
  http://ipofdomainserver/certsrv using the SmartCard logon custom template.
  The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years. 
  I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
  What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
  Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

  I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
  1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
  Created the file CAPolicy.inf in %SYSTEMROOT% with following content
  [Version]
  Signature=”$Windows NT$”
  [certsrv_server]
  RenewalValidityPeriod=Years
  RenewalValidityPeriodUnits=20
  2. Renew CA root using this guide  https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
  Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
  Renew CA certificate
  3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
  Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from 
  Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
  4. I performed a reboot here
  5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
  6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
  to value 10 for 10 years.
  7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
  smartcard (I was making sure there is no other certificate on the smartcard)
  8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
  account type. This is becuase we need to enroll it again for domain authentication
  9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
  Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
  Now you should be able to login using your smartcard and 10 years generated certificate.
  Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
  validity is restored automatically, but the certificates are generated for 10 years.
  What am I doing wrong ? How can I delete the lower validity root CA ?

• Office Web Apps Server Certificate For External

  Hi guys,
  I am requesting a DigiCert certificate for my environment Exchange 2013.
  Can I include the SAN name for Office Web Apps server, such as externalowa.domain.com in to the Exchange generated certificate?
  From theory wise it seems logic, but kind of uncertain.
  Thanks and Regards,
  Low.

  Hi Nithyanandham,
  Thanks for the prompt reply
  I will just list down what I did to be more clear.
  I generated a CSR from Exchange 2013 with the following
  Webmail.domain.com - for Outlook Web Access, Outlook Anywhere, ActiveSync
  Autodiscover.domain.com - for AutoDiscover purposes
  Can I include the externalowa.domain.com, which is for Office Web Apps server
  Reason is because the Exchange server and Office Web Apps server is located differently. Am I doing the correct way?
  Thanks and Regards,
  Low

• End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

  When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

  Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
  However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.

• I have been requested the certificate for iOS development since 4 days ago, but the result is still pending approval. So how many days should i wait?

  i have been requested the certificate for IOS Development since 4 days ago, but the result is still pending approval. So how many days should i wait?

  1. You did not get an error message telling you that your iPhoto library was getting full. You got a message telling you that your HD was getting full, right?
  OS X needs about 10 gigs of hard drive space for normal OS operations - things like virtual memory, temporary files and so on.
  Without this space your Mac will slow down as the OS hunts for space on the disk, files will be fragmented, also slowing things down, apps will crash and the risk of data corruption - that is damage to your files, photos, music - increases exponentially.
  Your first priority is to make more space on that HD. Nothing else can be done until you do.
  Purchase an external HD and move your Photos and Music to it. Both iPhoto and iTunes can run perfectly well with the Library on an external disk.
  Your Library has been damaged from being run on an overfull disk.
  How much free space on it now?

• Any methods to simulate Cisco IronPort WSA appliance for practice

  Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.

  You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
  http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• New SSL certificate for M670 process?

  Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?
  Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.
  Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 
  Jason

  Jason -
  You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.
  Had previous saved notes for similar questions in the past --- see if this helps:
  For full create and install:
  http://tools.cisco.com/squish/39054
  Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.
  On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates
  Detailed description how to generate a certificate can be found within the knowledge base article 1634.
  It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  Use GUI: Network > Certificates > Export Certificates to export certificate.
  Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:
  openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.
  Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.
  To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.
  Let me know!
  -Robert

• Ironport WSA - Management interface

  Hello,
  I have installed one Ironport WSA appliance for my customer.
  I would configure the following interface :
  -M1 : for the management
  -P1 : for the production interface
  -T1 : for L4 inspection
  I have specified a default route for M1 and P1.
  When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
  It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
  -It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
  -If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
  -The upgrade of antivirus & sensor base use M1 or P1 ?
  -I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
  -How the WSA appliance can manage two default routes ?
  Can you give me more information about M1 and P1 and the role of each one ?
  Best Regards
  Cédric

  You can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings.  Then click on the "Edit Update Settings".  You can pick the routing table/interface here.  By default its set to the managment interface.
  I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
  P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
  M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc.

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• Multiple Certificates for the same WLS

  Hi,
  IHAC who asks the following:
  Background
  Bigshop Limited carried out a soft launch of our e-tailing website under
  the
  url fonzie.bigshop.com.au
  We have a verisign certificate setup up for 128 bit ssl under the
  knownname
  fonzie.bigshop.com.au
  All ssl connections that connect to the site with this url are able to
  establish an SSL session.
  Current Issue
  Bigshop is now in the process of carrying out the public launch of the
  website. The public url for the website will be www.bigshop.com.au
  We have generated new public/private key pair and a Certificate Signing
  Request (CSR) and have ordered a new certificate from verisign
  Could you please advise if it is possible to operate two certificates
  for
  the one server. This will allow our www.bigshop.com.au and
  fonzie.bigshop.com.au url's to operate concurrently and enable both to
  establish SSL session with valid certificates.
  Is what they want to do possible ?? any suggestions
  appreciated,
  regards,
       Patrick.

  Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
  In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
  one certificate per server.
  -utpal

• SSL Certificate for Software LifeCycle Management

  Dear Friends,
  We have Solution Manger 70 with EhancementPack 1 (Java 7.01 SP4). Trying to configure the Software LifeCycle Management and I am stuck at the first stage i.e. generating SSL SSL Certificate.
  Here is what I have done and please let me know on how to proceed...
  - Installed SAP Cryptographic libraries, all the necessary Profile parameters and activated HTTPS...
  - STRUSTSSO2 --> Created SSL Server PSE
  - Generated the Certificate Requests for the SSL Server PSE
  - Copied the Certificate Request.
  - Opened the https://service.sap.com/tcs site
  - Requested for SSL Test Server Certificate by pasting the Copied the Certificate Request and generated the certificate response in a "PKCS # 7 Certificate Chain" format.
  - Copied the Generated Imported Certficate from SAP Trust center Site, and Imported the Certificate response for SSL Server using STRUSTSSO2.
  What else I am missing here?????????
  How to generate the Import Certifcate in a crt file format for SSL client (Anonymous or Standard) PSE's?????????
  Kindly help me with these issue ASAP.
  Thank you,
  Nikee

  Users are prompted to accept the certificate from the WLC because the clients do not have a trusted root certificate for the certificate that is installed on the WLC. The SSL certificate on the WLC is not in the list of certificates that the client system trusts. There are two ways to stop the generation of this web-browser security alert popup window:
  a) Use the self-signed SSL certificate on the WLC and configure the client stations to accept the certificate
  b) Generate a CSR and install a certificate that is signed by a source (a third-party CA) for which the clients already have the trusted root certificates installed. For more information on this read http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• Generate Certificates for WLC and clients

  Hi Guys
  I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
  How do I get this? 
  Thanks in advance for your support!
  Marcelo

  Hi,
  If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
  Below post may help you to see how you can do this
  http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
  HTH
  Rasika
  *** Pls rate all useful responses ****