Knowledge Center

How to create and import a Microsoft subordinate certificate authority (Sub CA) for Web Gateway 7.x
Technical Articles ID:   KB75037
Last Modified:  1/2/2018


McAfee Web Gateway (MWG) 7.x


The following procedures describe how to create a subordinate certification authority (Sub CA) from a Microsoft CA, for use by the Web Gateway 7.x SSL Scanner functionality.

NOTE: The following procedures assume that you are using Internet Explorer as your browser. The steps might vary if you are using a different browser.

Create the subordinate certificate authority

  1. Open the Certificate Authority page which is typically http://<server address>/certsrv.
  2. Click Request a Certificate.
  3. Click Advanced Certificate Request.
  4. Click Create and submit a request to this CA.
  5. Fill in the requested information for the Certificate:
    1. Ensure that you select Subordinate Certification Authority in the Certificate Template drop-down list.
    2. Fill in all identifying information in the first section such as name, email, company, department, city, state, country.
    3. Under the Key Options section, ensure that you set the keysize to a minimum of 2048.
    4. Ensure the check box for Mark keys as exportable is selected.
    5. Click Submit to submit the request.
  6. Click Install this Certificate, and install the certificate on your workstation.

Export the certificate

  1. From inside Internet Explorer, go to Tools, Internet Options, Content tab, and click Certificates. The Certificate you just imported appears under the Personal tab.
  2. Select it, and click Export. The Certificate Export Wizard starts.
  3. Complete the Certificate Export Wizard:
    1. Click Next at the first certificate screen.
    2. Select Yes, export the private key, and click Next.
    3. Ensure that Include certificates in the certification path if possible and Enable strong protection are both selected, and click Next.
    4. Enter a password, which is to be used when importing on the MWG, and click Next.
    5. Enter a filename, and specify where to save the file. It will be saved with a .pfx extension.

Export the PEM certificate and keyfile from the .pfx file

  1. Upload the .pfx file that you created in the previous steps to a machine with OpenSSL installed.
    NOTE: This example assumes that you are using MWG, which has OpenSSL installed. 
  2. Using WinSCP or a similar file transfer application, transfer the file to MWG, and note the directory to which you upload it.
  3. Export the files using the following commands:

    NOTE: These steps assume your .pfx filename is WebGateway.pfx. Substitute your actual filename.
    1. To export the PEM certificate, use the following command: openssl pkcs12 -in WebGateway.pfx -nokeys -out WebGateway.crt
    2. When prompted, enter the same password that you specified earlier. You will get a status message of MAC verified OK, indicating that the .crt file was generated.
    3. To export the keyfile, use the following command: openssl pkcs12 -in WebGateway.pfx -cacerts -nodes -out WebGateway.pem
    4. When prompted, enter the same password that you specified earlier. You will get a status message of MAC verified OK, indicating that the .crt file was generated.
  4. To clean up the files and get them in the correct format for MWG, run the following commands:

    To generate a clean certificate: openssl x509 -in WebGateway.crt -out SubCA-cert.pem
    To generate a clean private key: openssl rsa -in WebGateway.pem -out SubCA-key.pem
  5. Copy the newly generated files from the MWG file system to your workstation, using WinSCP or a similar file transfer application.

Import the Sub CA files into MWG
  1. Log on to the MWG web interface. Navigate to Policy, Settings, SSL Client Context with CA, Default CA, or the CA you want to import this certificate on.
  2. After selecting your CA, click Import on the right side of the screen:
    1. In the Certificate field, point MWG to the SubCA-cert.pem file that was generated in the last section.
    2. In the Private Key field, point MWG to the SubCA-key.pem file that was generated in the last section.
    3. Leave the Password field empty, unless you protected the private key with a new password in the last section.
  3. Click OK. Your new CA is imported on MWG.


The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.