Ironport WSA https-certificate import

Memento: When exporting a root certificate (with its private key) from a Microsoft Root CA you get a pkcs#12-file (.pfx). In order to import this cert and key into the Cisco Ironport WSA as a root certificate you need to do this:


  1. Move the .pfx-file to a machine with openssl installed
  2. Run “openssl pkcs12 -in myinfile.pfx -out myoutfile.pem -nodes
  3. When prompted enter the password you used when exporting the cert/key on the CA server.
  4. Open the myoutfile.pem file in a texteditor.
  5. Copy the lines beginning with (and including!) the line “—–BEGIN CERTIFICATE—–” and until the end of the line “—–END CERTIFICATE—–“.
  6. Paste that content to a new file and save it to something like cert.pem
  7. Open the myoutfile.pem again in a text editor.
  8. Copy the lines beginning with line “—–BEGIN RSA PRIVATE KEY—–” and ending with the line “—–END RSA PRIVATE KEY—–“.
  9. Paste the content to a new file and save it to something like key.pem.
  10. Select the files as Certificate and Key respective in the WSA GUI under Security Services-HTTPS Proxy-Edit Settings…-Root Certificate for signing-Use Generated Certificate and Key.

I have googled this so many times now. Hopefully google will index this rapidly and next time I google it I will see my own blog post as the first search result. 🙂

Memento is… oh sorry, forgot what to write here…

Posted in Uncategorized
One comment on “Ironport WSA https-certificate import
  1. Victor says:

    Thanks for keeping this article for this 3 years..
    It save me today..

    thanks a lot

Leave a Reply

Your email address will not be published.



[mc4wp_form id="2457"]
Website Security Test