Configure BCAAA to use a Web Server Certificate Signed by a Microsoft PKI or Other Certificate Authority

book

Article ID: 169372

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When you install BCAAA on a machine in your network, it generates a self-signed certificate to use for SSL communication with your ProxySG appliances. This article details the steps to use a certificate signed by a Microsoft PKI or public Certification Authority (CA) server instead. 

Here is an overview of the process:
  1. Generate a Certificate Signing Request (CSR) and have it signed by the Microsoft PKI or other CAs.
  2. Import the two web server certificates and the CA certificate to the ProxySG.
  3. Enable SSL communication between the ProxySG and BCAAA.
  4. Install BCAAA and configure it to communicate over SSL only, place the .pfx cert in the BCAAA SSL Store. 

Cause

You would like to install BCAAA securely, using certificates signed by your own PKI or preferred CA server instead of the self signed certificate.

Resolution

Configuration Steps

Part 1:  Install BCAAA/Configure Windows Network 
  1. Create a DNS A record in your Windows network that points to the Server IP that BCAAA will be installed on, using an Fully Qualified Domain Name (FQDN).  The FQDN will serve as a Common Name (CN) for the SSL certificate. An example for the FQDN might be BCAAA.mycompany.com.
  2. Enable SSL on BCAAA during the installation of BCAAA.
    1. Install BCAAA and when prompted, choose Allow only SSL connections.
    2. When prompted if you would like to open or allow the BCAAA port on the server firewall, choose Yes.
    3. Configure the Common Name (CN) as defined in step 1 above, (after making sure that your DNS server is able to resolve the above FQDN).
    4. When prompted to select Save the automatically generated certificate in the certificate store, choose Yes.
    5. When prompted to select Require the ProxySG to provide a valid certificate in order to connect choose No..
    6. Click Install to run the installation process.
    7. Once the BCAAA installation is complete, verify that the bcaaa.ini (located in the BCAAA installation folder) and make sure the configuration appears is as below. If it is different, please modify the bcaaa.ini and restart the BCAAA service.
                       UseSSL=1
            CertificateSubject=mybcaaaserver.com
            SaveGeneratedCertificate=1
            VerifySG=0

                       ---------------------------------------------------------------

Part 2: ProxySG configuration
  1. Generate a Certificate Signing Request (CSR) on the ProxySG. Define the Common Name field as the FQDN you created earlier, that matches the DNS A record pointing to the IP address where BCAAA  is installed. For additional details on this process, see the following KB article: How to generate a CSR on the SG:  http://bluecoat.force.com/knowledgebase/articles/Solution/000008819-CreatingaCertificateSigningRequestCSR
  2. Using the CSR generated in step 1 generate a web server certificate on your internal Microsoft PKI or your preferred public CA.
  3. The CA signing process creates two files: 
    1. The web server certificate.  Give it a name: BCAAA_Cert.cer
    2. The CA Root Certificate. Give it a name: BCAAA_Root_Cert.cer
  1. Export the Certificates from the CA as a Base 64, PEM format. (Consult with you system administrator if you're not familiar with this process).
  2. Import BCAAA_Cert.cer and the BCAAA_Root_Cert.cer to the ProxySG and add them to the trusted certificate store. Steps to do this are as follows: 
    1. Open BCAAA_Cert.cer file using a text editor, highlight all text, right-click and select and copy.
    2. On the ProxySG go to Configuration > SSL > Keyrings.  Select the CSR BCAAA_Cert generated in step 1 and click Edit, Under the Certificate section, click Import and paste the BCAAA_Cert.cer in PEM format.
    3. In Configuration > SSL > CA Certificate. Under the CA Certificate tab click Import. Name the CA certificate: BCAAA_Web_Cert  (for example). Don't give it the same name as BCAAA_Cert as you will get an error, paste the BCAAA_Cert.cer (PEM). Click OK and Apply.
    4. In Configuration > SSL > CA Certificate. Under the CA Certificate tab click Import. Name the CA certificate: BCAAA_Root_Cert  (for example). Don't give it the same name as above as you will get an error, paste the CA Root Certificate (PEM). Click OK and Apply.
    5. In Configuration > SSL > CA Certificate, under the CA Certificate List tab, select Browser-trusted and click Edit. Locate BCAAA_Root_Cert and BCAAA_Web_Cert in the list on the left. Use Add>> to move each certificate to the right side. Click OK and Apply.
  3. In Configuration > Authentication > IWA Servers > check Enable SSL. Assign the Primary BCAAA server to use the FQDN as the host address, and not the IP address for that server. Select default under the SSL Device Profile.
  4. Extract the private key of the BCAAA_Cert from the ProxySG, as you will need it to generate a .pfx certificate that is needed for BCAAA Server. Steps and details are as follows: 
    1. SSH in to the ProxySG.
    2. Type enable to enter elevated privilege mode.
    3. Type config t to enter configuration termial mode
    4. Type ssl. The prompt displays as (config ssl)
    5. Type view keypair BCAAA_Cert. Note: this is case-sensitive.
    6. Copy everything listed including and between : -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
    7. Paste in to a text file, save the file with a name like BCAAA_Cert_Key. Once the file is saved, change the file extension to .key
  5. Make sure you have the below 3 files before you continue to the next step: 
                BCAAA_Cert.cer
                BCAAA_Root_Cert.cer
                BCAAA_Cert_Key.key
  1. This step is not performed on the ProxySG. You have to convert the three files in to one certificate. This is called a pfx certificate. This certificate is a combination of the Web Cert, Private Key and Root Cert. BCAAA will need this certificate to negotiate the SSL connection with the ProxySG. You can use openssl for this purpose, here is an example of the openssl command that would take the three files and combine them in to one .pfx certificate. You can name the output file BCAAA_certificate.pfx.
    1. openssl pkcs12 -export -out BCAAA_certificate.pfx -inkey BCAAA_Cert_Key.key -in BCAAA_Cert.cer -certfile BCAAA_Root_Cert.cer.  If you're not familiar with OpenSSL, consult the openssl forums or other OpenSSL documentation for assistance. 
    2. There are other tools and converters you can use to convert a cert, private key and the root in to a .pfx certificate, please contact your system adminstrator for assistance with this step#7

-------------------------------------------------------

Part 3: Install the PFX certificate on the BCAAA server.
  1. Import the BCAAA_certificate.pfx file in to the BCAAA Certificate Store on the server where BCAAA is installed.
  2. Move the file BCAAA_certificate.pfx to the server desktop where BCAAA is installed.
  3. Stop the BCAAA Service.
  4. Click Start > Run. The Run dialog opens. Follow these steps to install the PFX certificate:
    1. Type MMC in the Run dialog box and then click Ok.
    2. Select File > Add/Remove Snap-in. The Add/Remove Snap-in dialog displays.
    3. Click Add. The Add Standalone Snap-in dialog displays.
    4. Select Certificates from the Snap-in list and click Add. The Certificates snap-in wizard starts.
    5. Select Service Account and then click Next.
    6. Select Local computer and then click Next.
    7. From the Service Account list, select BCAAA, click Finish, and click Close.
    8. Click Ok to save your changes and close the Add/Remove Snap-in dialog.
    9. On the left side you will find Certificates - Service-(BCAAA) on Local Computer.
    10. In the list of certificate elements, select BCAAA/Personal (expand) > Certificates > and then delete any certificates if there are any. (there could be one or two)
    11. Select the Action menu, and select All Tasks >Import. Browse to where the BCAAA_certificate.pfx is located. Place the certificate in the BCAAA/Personal store and click Done.
    12. Windows will import the BCAAA_certificate.pfx and convert it to two files: one file is the will be the web certificate, and the other one file will be the root certificate.
    13. Close the MMC console.
    14. Start the BCAAA service.

-------------------------------------------------

To test the configuration, log in to the ProxySG and go to Configuration > Authentication > IWA > IWA Servers. Locate the Test Configuration section and click Test configuration. The proxy prompts you to enter a valid domain username and password. If successful, the test should succeed.