Cache Flow SSL certificate for management console to be signed by Internal Certificate Server

book

Article ID: 168550

calendar_today

Updated On:

Products

CacheFlow Appliance Software

Issue/Introduction

How do create a strong SSL certificate from Internal Certificate Server (CA)
 

Cause

The default SSL certificate for the Management GUI is 256 bits in length and many security vulnerability scanners detect this as cryptographically weak, and therefore a security risk.An attacker may be able to leverage weaknesses in the public key strength to gain access to sensitive information.

Resolution


1. Create a keyring with 2048 bit of length and name it as gui2. gui2 is just a name of the keyring and you can name it as according to your company policy.
#(config ssl)create keyring no-show gui2 2048

2. Generating a Certificate Signing Request. (An example show below)
#(config ssl)create signing-request gui2
  Country code []: CA
  State or province []: ON
  Locality or city []: Malaysia
  Organization name []: Bluecoat
  Organization unit []: CSE
  Common name []: CSECF500
  Email address []:
  Challenge  []: abc123
  Company name []:

 
3. Submit a Certificate Signing Request (CSR) to the Certification Authority (CA). The CSR contains your certificate-application information, including your public key.

A. #(config ssl)view signing-request gui2
-----BEGIN CERTIFICATE REQUEST-----
MIIBuTCCASICAQAwYjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMREwDwYDVQQH
EwhXYXRlcmxvbzERMA8GA1UEChMIQmx1ZWNvYXQxDDAKBgNVBAsTA1BTUzESMBAG
A1UEAxMJU2VhbkNGNTAwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm23G0
0mK+em7Hh6lzsQa7OTaEJPls/p5fRd4Ox/2whAX5aV4iEw57l4SMJeU9qBcXVuUs
I5nxJvWEQlAMYDxMZvTuZHQOFAEs6T1dtfNWDG2RXMj6cTndGFIjvaeXQVIofBs
AwHwqhf756ytBL8cGY0Hp+FJ4PImLbmbWssmjQIDAQABoBcwFQYJKoZIhvcNAQkH
MQgTBmFiYzEyMzANBgkqhkiG9w0BAQUFAAOBgQATs0Y2VkbppnB4SU4Cfa0nAd1Q
d4Gw7S29y95quZQFpcA7gj8j198BDfvK39oMPbs0A3ImOFZRkSwUOfcJ8Oq61xrb
z4zmbha93lKe65Mhg49uQmb/hG5z7JudEDrl52pRoDoMLj0tWlQ8GcFFgHT/Tw/C
H5nirAHbZRSoX4CxeA==
-----END CERTIFICATE REQUEST-----

Note: Copy the certificate text, (starting with -----Begin and ending with REQUEST-----) and have it signed by the CA server

B. #(config ssl)inline certificate gui2 12345
-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgIKRDbsdgAAAAAAJDANBgkqhkiG9w0BAQUFADBLMRMwEQYK
CZImiZPyLGQBGRYDbGFiMRgwFgYKCZImiZPyLGQBGRYId2F0ZXJsb28xGjAYBgNV
BAMTEXdhdGVybG9vLVZNNjY1LUNBMB4XDTE0MTIwMzEzNDcwNFoXDTE2MTIwMjEz
NDcwNFowYjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMREwDwYDVQQHEwhXYXRl
cmxvbzERMA8GA1UEChMIQmx1ZWNvYXQxDDAKBgNVBAsTA1BTUzESMBAGA1UEAxMJ
U2VhbkNGNTAwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm23G00mK+em7H
h6lzsQa7OTaEJPls/p5fRd4Ox/2whAX5aV4iEw57l4SMJeU9BcXVuUsI5nxJvWE
QlAMYDxMZvTuZHQOFAEs6T1dtfNWDG2RXMjy6cTndGFIjvaeXQVIofBsAwHwqhf7
56ytBL8cGY0Hp+FJ4PImLbmbWssmjQIDAQABo4ICwDCCArwwHQYDVR0OBBYEFAIg
hZMK4KKhz0EsNnNrZbfaw4d5MB8GA1UdIwQYMBaAFDsEWfJxg4eqHBySU24VHo/N
4EhVMIIBCwYDVR0fBIIBAjCB/zCB/KCB+aCB9oaBt2xkYXA6Ly8vQ049d2F0ZXJs
b28tVk02NjUtQ0EsQ049dm02NjUsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9d2F0ZXJsb28s
REM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz
cz1jUkxEaXN0cmlidXRpb25Qb2ludIY6aHR0cDovL3ZtNjY1LndhdGVybG9vLmxh
Yi9DZXJ0RW5yb2xsL3dhdGVybG9vLVZNNjY1LUNBLmNybDCCASEGCCsGAQUFBwEB
BIIBEzCCAQ8wgbEGCCsGAQUFBzAChoGkbGRhcDovLy9DTj13YXRlcmxvby1WTTY2
NS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz13YXRlcmxvbyxEQz1sYWI/Y0FDZXJ0aWZp
Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwWQYI
KwYBBQUHMAKGTWh0dHA6Ly92bTY2NS53YXRlcmxvby5sYWIvQ2VydEVucm9sbC92
bTY2NS53YXRlcmxvby5sYWJfd2F0ZXJsb28tVk02NjUtQ0EuY3J0MCEGCSsGAQQB
gjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQAaHWSSm1V5x8jNUQ8S
SY/WsYRA71Ghv+kUKgbpljVeg+BzfnQSpmJliepMSC0cNXnOv0yofp1d1KarKnkv
u9Rm6owiOWkWAyzh/cTidPlOfI02V7ytAvJMMmNrHFZi+qg7//NKAPHAfu+DY7Fh
xM+n+eDJPMqSoWrRgaijgApsseC4CLDnTnFcHYLMx3QQdgCOOjGOX8GwVuGFWFvn
ePE2p8kmEEFFM20Jkb7jfnmfGJUbNiOMh6KP5AfKdUQNxiBcdEQxnwffn6Ab5M1d
a5DIMMOIv1G4LgJhXlGLZiehgT2C4LIOspKyH38KHMyzO5ev5QVOliBmdkB9YOXp
NXgk
-----END CERTIFICATE-----
12345
ok


4. Apply the keyring to management console
#(config ssl)exit
#(config)management-services
#(config management-services)edit HTTPS-Console
#(config HTTPS-Console)attribute keyring gui2
 ok


5. Verify the 2048 bit of length certificate
Go to the browser, view the certificate signature value, it should showing 2048 bit