I had to create both a user interface certificate and a subordinate CA from our internal Windows CA and had a few issues.
I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
This guide is for creating the User Interface Certificate. I have posted another for the Subordinate CA.
As the title of the post suggest, it's an RFC too so please comment
Version is 7.3.0 (13875)
I based this on information in the following posts and my own trial & error:
1. Export your internal CA from your PC certificate store. Importing the certificate chain does not work so export in Base-64 encoded.
1.1. On your PC > MMC > Add Certificates snap-in > either My user account or Computer account
1.2. Expand Certificates > Trusted Root Certification Authorities > Certificates
1.3. Highlight _your_internal_CA_ > right-click > All Tasks > Export
1.4. Select Base-64 encoded > Next > save locally
2. Logon to the mwg via ssh
3. Run this command to create the csr & create a PEM pass phrase:
openssl req -out testmgw.csr –new
[root@MWG ~]# openssl req -out testmgw.csr -new
Generating a 2048 bit RSA private key
writing new private key to 'privkey.pem' <---Note that private key is being created here
Enter PEM pass phrase: <---Enter suitable passphrase
Verifying - Enter PEM pass phrase: <---Confirm passphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]: <---Change to site country
State or Province Name (full name) : <---Change to site location or leave blank
Locality Name (eg, city) [Default City]: <---Change to site city or leave blank
Organization Name (eg, company) [Default Company Ltd]: <---Change to co. name
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) : <---Enter either servername/ IP here
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : <---Leave blank
An optional company name : <---Leave blank
4. Create an RSA private key by running the openssl command below & fill in the details
openssl rsa -in privkey.pem -des3 -out testmwg.pem
[root@MWG ~]# openssl rsa -in privkey.pem -des3 -out testmwg.pem
Enter pass phrase for privkey.pem:
writing RSA key
Enter PEM pass phrase: <---passphrase from step 3
Verifying - Enter PEM pass phrase: <-- verify passphrase
[root@MWG ~]# ls -l
-rw-r--r-- 1 root root 1834 Mar 4 12:47 privkey.pem
-rw-r--r-- 1 root root 985 Mar 4 12:47 testmgw.csr
-rw-r--r-- 1 root root 1743 Mar 4 12:50 testmwg.pem
5. Copy the testmwg.csr and testmwg.pem files off the mwg using winscp or similar
6. Use the testmwg.csr to get a server certificate from https://<yourinternalca>/certsrv/ > Select Request a certificate
7. Select "Submit a request by using base-64-encoded…"
8. Open the testmwg.csr file in notepad and copy into the Saved Request field > template is Web Server > Submit
9. Download the certificate [certificate only; NOT certificate chain] in Base 64 encoded.
10. Logon to the Web Gateway > Click Configuration tab > expand Appliances (Cluster) > servername > User Interface > User Interface Certificate > Import
11. Browse to the files > enter private key password > OK
Files needed are the internal root CA from step 1 , the *.pem created in step 4 & the *.cer downloaded in step 9
12. Save Changes > Log out > close browser.
When next logging on should be no certificate errors. You can also now host the proxy.pac and serve over https
Hope this helps
All steps are working for me but since we have a root and intermediate certificate, I am still receiving a certificate error (that I can bypass) with FF. I have tried to import a certificate chain (p7b) but as state in your document, it is not working. Is there a way to import a certificate chain for the GUI Cert???