Showing results for 
Search instead for 
Did you mean: 
Level 7

Creating a Subordinate CA (7.3.0) Guide - RFC

I had to create both a user interface certificate and a subCA from our internal Windows CA and had a few issues. 
I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
This guide is for creating the Subordinate CA.  I have posted another for the User Interface Certicate:

As the title of the post suggest, it's a RFC too so please comment
Version is 7.3.0 (13875)

I based this on information in the following posts and my own trial & error: 

1.      On the internal CA website https://<yourinternalca>/certsrv/ > Request cert > advanced cert > template: Subordinate Cert Auth
           Fill in details:
Name:      <---<choose a suitable name>

Other details:

  • Create new key set with key size 1024
  • Automatic key container name
  • Mark as exportable
  • Format: CMC

2.      Install to PC and then export including private key (eg export.pfx)
                Include all certs in path
                Enable strong protection

3.      Copy export.pfx file to MWG using WinSCP

4.      Logon to the mwg via ssh

5.      Run these commands from the ssh session:

          openssl pkcs12 -in export.pfx -nokeys -out CA.crt

[root@MWG ~]# openssl pkcs12 -in export.pfx -nokeys -out CA.crt
Enter Import Password:     <---use password used to create the cert
MAC verified OK

[root@MWG ~]# ls

CA.crt  export.pfx

               openssl pkcs12 -in export.pfx -cacerts -nodes -out CA.key

[root@MWG ~]# openssl pkcs12 -in export.pfx -cacerts -nodes -out CA.key
Enter Import Password:
MAC verified OK

[root@MWG ~]#  ls
CA.crt  CA.key  export.pfx

6.      Use the CA.key to write the rsa key:

          openssl rsa -in CA.key -des3 -out newCA.pem

[root@MWG ~]# openssl rsa -in CA.key  -des3 -out newCA.pem
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

7.      Use WinSCP to copy CA.crt & newCA.pem to PC

8.      Open WebGUI and browse to Policy > Settings tab > Engines > SSL Client Context with CA > right-click Add > Name > Import

9.      Browse to files – make sure use root CA for the certificate chain - see post "Creating a User Interface Certicate - Definitive guide - RFC"

[] for details on exporting that

10.      OK > logout > close browser

When next going to blocked https site (e.g you can check the certificate & certificate path. 
It should contain the internal root CA, the MWG and then an entry for the website that is blocked eg

Hope this helps


0 Kudos