Create a certificate for CA device that is signed by Internal root CA

book

Article ID: 171713

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

You wish to use a certificate that is signed by internal root Certificate Authority (CA) and not the self-signed certificate that can be generated on the Content Analysis (CA).

Un trusted certificate exception page presented by Firefox:

Cause

If you use the default self-signed certificate or even generate a new certificate you will get an error about the certificate not being trusted.

This can be fixed by adding this self-signed certificate to the trusted certificate store on the clients but its a much simple task to get the certificate signed by the internal root CA.

Resolution

The CA device lacks the capability to create a private key and a Certificate Signing Request (CSR) that can be signed by other device. For this reason you have the create the two off the device using for example OpenSSL and export the certificate and the private key using P12 file. The Process to complete this is below:

#Create the private key
openssl openssl -out private.key 2048
#Create the CSR
openssl req -new -sha256 -key private.key -out MY.csr
#Take the CSR then and ask MVM to sign with root CA using web server template
#take the private key and the crt/cer and create P12 file- you will be asked to create a password on the export
openssl pkcs12 -export -inkey private.key -in CA.cer -out keystore.p12

 

Once you have the p12 file you can import it into CA device via the WebGUI > Settings > Web Management > Certificate Management >

Attachments