Cisco Cisco Web Security Appliance S160 Guía Del Usuario
26-30
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 26 System Administration
Installing a Server Digital Certificate
Step 3
Contact a certificate authority (CA) to sign the certificate.
The certificate you upload to the appliance must meet the following requirements:
•
It must use the X.509 standard.
•
It must include a matching private key in PEM format. DER format is not supported.
•
The private key must be unencrypted.
The Web Security appliance cannot generate Certificate Signing Requests (CSR) for certificates
uploaded to the appliance. Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this system because you will
need to install it on the appliance later.
uploaded to the appliance. Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this system because you will
need to install it on the appliance later.
You can use any UNIX machine with a recent version of OpenSSL installed. Be sure to put the appliance
hostname in the CSR. Use the guidelines at the following location for information on generating a CSR
using OpenSSL:
hostname in the CSR. Use the guidelines at the following location for information on generating a CSR
using OpenSSL:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
Once the CSR has been generated, submit it to a certificate authority (CA). The CA will return the
certificate in PEM format.
certificate in PEM format.
If you are acquiring a certificate for the first time, search the Internet for “certificate authority services
SSL server certificates,” and choose the service that best meets the needs of your organization. Follow
the service’s instructions for obtaining an SSL certificate.
SSL server certificates,” and choose the service that best meets the needs of your organization. Follow
the service’s instructions for obtaining an SSL certificate.
Note
You can also generate and sign your own certificate. Tools for doing this are included with OpenSSL,
free software from
free software from
http://www.openssl.org
.
Intermediate Certificates
In addition to root certificate authority (CA) certificate verification, AsyncOS supports the use of
intermediate certificate verification. Intermediate certificates are certificates issued by a trusted root CA
which are then used to create additional certificates. This creates a chained line of trust. For example, a
certificate may be issued by example.com who, in turn, is granted the rights to issue certificates by a
trusted root CA. The certificate issued by example.com must be validated against example.com’s private
key as well as the trusted root CA’s private key.
intermediate certificate verification. Intermediate certificates are certificates issued by a trusted root CA
which are then used to create additional certificates. This creates a chained line of trust. For example, a
certificate may be issued by example.com who, in turn, is granted the rights to issue certificates by a
trusted root CA. The certificate issued by example.com must be validated against example.com’s private
key as well as the trusted root CA’s private key.
Uploading Certificates to the Web Security Appliance
To upload a digital certificate to the Web Security appliance, use the
certconfig
command.
The following example shows a certificate being uploaded. You can also add intermediate certificates
from this command.
from this command.
example.com> certconfig
Currently using the demo certificate/key for HTTPS management access.
Choose the operation you want to perform: