search cancel

"Certificate in not a Certificate Authority" error adding Self Managed Certificate in WSS Portal

book

Article ID: 253752

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Adding Self Managed Certificate in WSS portal using a GCP Provider.

All fields added are valid and the CSR request is generated as expected.

After signing the CSR request with root CA, the WSS Portal throws the following error adding the CSR response:

"Certificate is not a Certificate Authority"

"Intermediate CA Certificate chain missing. You need to add a cert chain to activate this certificate. Paste existing cert chain below or create a CSR to obtain a new one."

 

Environment

Self Managed Certificate.

GCP KMS Provider.

Cause

Certificate issued by CA missing appropriate certificate attributes.

Resolution

Make sure that the CA signing the CSR request includes the "CA:TRUE" Basic Constraint, along with the certificate signing options under KeyUsage.

 

 

Additional Information

You can follow below mentioned steps to generate a sign your CSR and to export it as a certificate only for testing purpose or in case you do not have a Root CA:

1. Run below mentioned command to create a Directory in which your RootCA files will be stored:

mkdir /Users/BobMarley/RootCA
cd /Users/BobMarley/RootCA

2. Run below mentioned openSSL command to create your RootCA:

openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.pem

3. After running above mentioned command, first you will be prompted to enter a passphrase to encrypt the private key and PEM certificate of RootCA - remember the passphrase entered.

4. And then you will be prompted to enter your RootCA attributes:

Here you asked to enter information that will be incorporated into your certificate request.

- What you are about to enter is what is called a Distinguished Name or a DN.

- There are quite a few fields but you can leave some blank

- For some fields there will be a default value,

- If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:IE

State or Province Name (full name) []:Leinster

Locality Name (eg, city) []:Dublin

Organization Name (eg, company) []:Broadcom

Organizational Unit Name (eg, section) []:Support

Common Name (eg, fully qualified host name) []:WSSInterCA

Email Address []:[email protected]

 

5. Create and save server-cert-ext.cnf file under /Users/BobMarley/RootCA directory with the following parameters:

# Extensions to add to a certificate request
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier=hash
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyCertSign, nonRepudiation, keyEncipherment, dataEncipherment

6. Copy the CSR request, generated in the WSS Portal when initially adding a Self Managed Certificate request in WSS Portal, to /Users/BobMarley/RootCA directory and run the following Openssl command:

openssl x509 -req -extfile /Users/ BobMarley/RootCA server-cert-ext.cnf -in /Users/BobMarley/RootCA/CertificateSigningRequest_GCP.csr -CA /Users/BobMarley/RootCA /rootCA.pem -CAkey /Users/BobMarley/RootCA/rootCA.key -CAcreateserial -out smc.crt -days 365 -sha256

where rootCA.pem is the rootCA certificate; rootCA.key is the associates key, CertificateSigningRequest_GCP.csr is the file created with the WSS Portal CSR request and smc.out is the resulting signed certificate.

7. Validate that the resulting CSR response included the right details (common name / organization name / Cert attributes) by running following command:

openssl x509 -noout -text -in smc.crt

Output should show Basic Constraint of CA: True and Key Usage allowing signatures ..

[email protected]:/etc/ssl> openssl x509 -in smc.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d3:b1:91:9b:7c:38:59:64
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IE, ST=Leinster, L=Dublin, O=Broadcom, OU=Support, CN=RootCA/[email protected]
        Validity
            Not Before: Nov  3 16:59:53 2022 GMT
            Not After : Nov  3 16:59:53 2023 GMT
        Subject: C=IE, ST=Leinster, L=Dublin, O=Broadcom, OU=Support, CN=TestInterCA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:33:c2:57:0b:ef:c3:60:39:fb:c8:e5:fc:74:
:
                    53:64:7d:c6:83:97:34:9e:d6:69:d7:91:14:21:04:
                    34:d7

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:A0:B2:F3:E5:B9:4D:FA:81:FB:C8:19:AF:A6:74:B3:E4:EC:B2:86:AE
            X509v3 Subject Key Identifier:
                5E:7E:AA:D0:8A:6E:51:91:72:30:14:C7:CD:8E:C9:9D:0B:F9:57:BC
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
    Signature Algorithm: sha256WithRSAEncryption
         36:6c:d6:27:c9:93:2e:49:f0:cb:fe:65:b3:eb:df:7b:6b:8f:
 :
        d9:79:3f:5a:7a:14:47:b7:0f:bd:f3:10:86:2f:0b:b0:a3:ad:
         ce:38:a8:26

 8. Assuming it is valid, cut and paste the CSR response into the WSS Portal Self Managed Certificate we are adding and make sure that status changes to "Available". At this point, you can export the certificate and push to all hosts before enabling it to 'Use for SSL / TLS inspection'

Attachments