Loading...

Knowledge Center


How to create and import a Microsoft subordinate certificate authority (Sub CA) for Web Gateway 7.x
Technical Articles ID:   KB75037
Last Modified:  11/21/2016
Rated:


Environment

McAfee Web Gateway (MWG) 7.x

Summary

The following procedures describe how to create a subordinate certification authority (Sub CA) from a Microsoft CA for use by the Web Gateway 7.x SSL Scanner functionality.

NOTE: The following procedures assume you are using Internet Explorer as your browser. The steps may vary if you are using a different browser.

Create the subordinate certificate authority

  1. Open the Certificate Authority page (typically http://<server address>/certsrv).
  2. Click Request a Certificate.
  3. Click Advanced Certificate Request.
  4. Click Create and submit a request to this CA.
  5. Fill in the requested information for the Certificate:

    1. Ensure that you select Subordinate Certification Authority in the Certificate Template drop-down menu.
    2. Fill in all identifying information in the first section (name, e-mail, company, department, city, state, country).
    3. Under the Key Options section, ensure that you set the keysize to a minimum of 2048.
    4. Ensure the checkbox for Mark keys as exportable is selected.
    5. Click Submit to submit the request.

  6. Click Install this Certificate, and install the certificate on your workstation.

Export the certificate

  1. From inside of Internet Explorer, go to Tools, Internet Options, Content tab, and click Certificates. The Certificate you just imported appears under the Personal tab.
  2. Select it, and click Export. The Certificate Export Wizard starts.
  3. Complete the Certificate Export Wizard:

    1. Click Next at the first certificate screen.
    2. Select Yes, export the private key, and click Next.
    3. Ensure that Include certificates in the certification path if possible and Enable strong protection are both selected, and click Next.
    4. Enter a password (to be used when importing on the MWG) and click Next.
    5. Enter a filename, and specify where to save the file. (It will be saved with a .pfx extension.)


Export the PEM certificate and keyfile from the .pfx file

  1. Upload the .pfx file you created in the previous steps to a machine with OpenSSL installed.
     
    NOTE: This example assumes you are using MWG, which has OpenSSL installed. 
     
  2. Using WinSCP or a similar file transfer application, transfer the file to MWG, and note the directory to which you upload it.
  3. Export the files using the following commands:

    NOTE:These steps assume your .pfx filename is WebGateway.pfx. Substitute your actual filename.

    1. To export the PEM certificate, use the following command: openssl pkcs12 -in WebGateway.pfx -nokeys -out WebGateway.crt
    2. When prompted, enter the same password you specified earlier. You should get a status message of MAC verified OK, indicating that the .crt file was generated.
    3. To export the keyfile, use the following command: openssl pkcs12 -in WebGateway.pfx -cacerts -nodes -out WebGateway.pem
    4. When prompted, enter the same password you specified earlier. You should get a status message of MAC verified OK, indicating that the .crt file was generated.

  4. To clean up the files and get them in the correct format for MWG, run the following commands:

    To generate a clean certificate: openssl x509 -in WebGateway.crt -out SubCA-cert.pem
    To generate a clean private key: openssl rsa -in WebGateway.pem -out SubCA-key.pem
    To generate a clean chain file: openssl x509 -in WebGateway.pem -out chain.pem

  5. Copy the newly generated files from the MWG file system onto your workstation (using WinSCP or a similar file transfer application).

Import the Sub CA files into MWG
  1. Log in to the MWG web interface. Navigate to Policy, Settings, SSL Client Context with CA, Default CA (or the CA you want to import this certificate on).
  2. After selecting your CA, click Import on the right side of the screen:

    1. In the Certificate field, point MWG to the SubCA-cert.pem file that was generated in the last section.
    2. In the Private Key field, point MWG to the SubCA-key.pem file that was generated in the last section.
    3. Leave the Password field empty (unless you protected the private key with a new password in the last section).
    4. In the Certificate Chain field, point MWG to the chain.pem file that was generated in the last section.

  3. Click OK. Your new CA should be imported on MWG.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.