Showing results for 
Search instead for 
Did you mean: 
Level 7

Creating a User Interface Certificate Guide (7.3.0) - RFC

I had to create both a user interface certificate and a subordinate CA from our internal Windows CA and had a few issues. 
I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
This guide is for creating the User Interface Certificate.  I have posted another for the Subordinate CA.

As the title of the post suggest, it's an RFC too so please comment
Version is 7.3.0 (13875)

I based this on information in the following posts and my own trial & error: 

1.      Export your internal CA from your PC certificate store.  Importing the certificate chain does not work so export in Base-64 encoded.
1.1.      On your PC > MMC > Add Certificates snap-in > either My user account or Computer account

1.2.      Expand Certificates > Trusted Root Certification Authorities > Certificates

1.3.      Highlight _your_internal_CA_ > right-click > All Tasks > Export
1.4.      Select Base-64 encoded > Next > save locally

2.      Logon to the mwg via ssh

3.      Run this command to create the csr & create a PEM pass phrase:

openssl req -out testmgw.csr –new

[root@MWG ~]# openssl req -out testmgw.csr -new
Generating a 2048 bit RSA private key
writing new private key to 'privkey.pem'                                          <---Note that private key is being created here
Enter PEM pass phrase:                                                                     <---Enter suitable passphrase
Verifying - Enter PEM pass phrase:                                                  <---Confirm passphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:                                                      <---Change to site country
State or Province Name (full name) []:                                                <---Change to site location or leave blank 
Locality Name (eg, city) [Default City]:                                                 <---Change to site city or leave blank
Organization Name (eg, company) [Default Company Ltd]:            <---Change to co. name
Organizational Unit Name (eg, section) []:    
Common Name (eg, your name or your server's hostname) []:      <---Enter either servername/ IP here
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                                                        <---Leave blank
An optional company name []:                                                              <---Leave blank
[root@MWG ~]#

4.      Create an RSA private key by running the openssl command below & fill in the details

               openssl rsa -in privkey.pem -des3 -out testmwg.pem

[root@MWG ~]# openssl rsa -in privkey.pem -des3 -out testmwg.pem
Enter pass phrase for privkey.pem:
writing RSA key
Enter PEM pass phrase:                                                                     <---passphrase from step 3
Verifying - Enter PEM pass phrase:                                                    <-- verify passphrase  

[root@MWG ~]# ls -l
-rw-r--r-- 1 root root 1834 Mar  4 12:47 privkey.pem
-rw-r--r-- 1 root root  985 Mar  4 12:47 testmgw.csr
-rw-r--r-- 1 root root 1743 Mar  4 12:50 testmwg.pem
[root@MWG ~]#

5.      Copy the testmwg.csr and testmwg.pem files off the mwg using winscp or similar

6.      Use the testmwg.csr to get a server certificate from https://<yourinternalca>/certsrv/ > Select Request a certificate

7.      Select "Submit a request by using base-64-encoded…"

8.      Open the testmwg.csr file in notepad and copy into the Saved Request field > template is Web Server > Submit

9.      Download the certificate [certificate only; NOT certificate chain] in Base 64 encoded.

10.      Logon to the Web Gateway > Click Configuration tab > expand Appliances (Cluster) > servername > User Interface > User Interface Certificate > Import

11. Browse to the files > enter private key password > OK

                Files needed are the internal root CA from step 1 , the *.pem created in step 4 & the *.cer downloaded in step 9

12. Save Changes > Log out > close browser. 

When next logging on should be no certificate errors.  You can also now host the proxy.pac and serve over https

Hope this helps


0 Kudos
1 Reply
Level 9

Re: Creating a User Interface Certificate Guide (7.3.0) - RFC

All steps are working for me but since we have a root and intermediate certificate, I am still receiving a certificate error (that I can bypass) with FF.  I have tried to import a certificate chain (p7b) but as state in your document, it is not working. Is there a way to import a certificate chain for the GUI Cert???

0 Kudos