How to create request for thirdparty Sub-CA ?
We want to use a https-proxy-appliance as a subordinate ca. The appliance can't create a request file for a subordinate certificate request. The Root-CA is a Windows Server 2008 R2 standalone Root-CA.
How can I create a requst file for a thirdparty subordinate CA, which is running on a non-windows appliance ?
How can I import this request file so that the issued certificate is for a subordinate CA ?
Thanks for your help.
August 4th, 2011 10:01am
You need to contact the appliance manufacturer
You have not provided us with:
- type of appliance
- OS of appliance
- Import formats supported by the appliance
Without this information, your question is almost impossible to answer
Brian
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 11:05am
Thanks for your reply. The informations about the appliance are:
-type of appliance: Cisco Ironport Web Security Appliance
- OS of appliance: AsyncOS 7.1.3-011 for Web
- Import formats supported by the appliance: PEM
Are this informations helpful ? Maybe we must create an INF-File to create a request file by certreq and at the end export the cert and private key into PEM-Format.
August 5th, 2011 7:31am
Agree with Brian that you need to get all requirements and details about the required certificate. Once you have that you can use certreq.exe to generate a request and submit the request to your Root CA to issue the Sub CA certificate. Below you find a sample
inf file to be used with certreq.exe to generate a key pair and a request for a CA certificate. You probably need to make more adjustments to the settings in the inf file to suite your requirements.
The steps to use the sample inf file are:
run the command: certreq.exe -new certreq.inf cacert.req submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
install the certificate by running the command: certreq.exe -accept newcacer.cer
export the certificate to a PFX file including the private key using openssl convert the PFX file to PEM format, good example http://support.citrix.com/article/CTX106028
-------------- sample certreq.inf for CA --------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=subCA"
Exportable = True
MachineKeySet = True
KeyLength = 1024
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2011 8:20am
On Fri, 5 Aug 2011 11:28:13 +0000, Ewoki wrote:
-type of appliance: Cisco Ironport Web Security Appliance
Maybe I'm missing something here, but I don't see anything in the data
sheets for this product that shows that it can function as a Certification
Authority.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
On line: A statement shouted at tennis judges in response to serves being
called out.
August 6th, 2011 5:53am
Thanks for your help. With our instructions it was able to create a Sub CA Certificate and private key for the Ironport Web Security Appliance.
Our inf-File was in the following format:
*******************************
[Version]
Signature="$Windows NT$"
[Strings]
CACN = "Issuing CA"
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19
*******************************
Only in step 5 it was necessary to change the steps:
* extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
* extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
* remove the password from the private key file:
openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport Appliance. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted).
Thanks for all.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2011 5:46am