Memento: When exporting a root certificate (with its private key) from a Microsoft Root CA you get a pkcs#12-file (.pfx). In order to import this cert and key into the Cisco Ironport WSA as a root certificate you need to do this:
- Move the .pfx-file to a machine with openssl installed
- Run “openssl pkcs12 -in myinfile.pfx -out myoutfile.pem -nodes
- When prompted enter the password you used when exporting the cert/key on the CA server.
- Open the myoutfile.pem file in a texteditor.
- Copy the lines beginning with (and including!) the line “—–BEGIN CERTIFICATE—–” and until the end of the line “—–END CERTIFICATE—–“.
- Paste that content to a new file and save it to something like cert.pem
- Open the myoutfile.pem again in a text editor.
- Copy the lines beginning with line “—–BEGIN RSA PRIVATE KEY—–” and ending with the line “—–END RSA PRIVATE KEY—–“.
- Paste the content to a new file and save it to something like key.pem.
- Select the files as Certificate and Key respective in the WSA GUI under Security Services-HTTPS Proxy-Edit Settings…-Root Certificate for signing-Use Generated Certificate and Key.
I have googled this so many times now. Hopefully google will index this rapidly and next time I google it I will see my own blog post as the first search result. 🙂
Memento is… oh sorry, forgot what to write here…