cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eelsasser
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 11 of 20

Re: Howto add new certificate authorities?

If you have a 6.x configuration with your desired CAs in it already, you can use the listConverter to export and re-import the whole list to MWG7.

i just don't have a way to merge a list of new CAs into an existing set of CAs for 7. I guess I could write a tool

Former Member
Not applicable
Report Inappropriate Content
Message 12 of 20

Re: Howto add new certificate authorities?

maybe i made something complete wrong but:

bund1.jpg

with this config

mwgconf1.jpg

and these lists

mwgconf2.jpg

where is my mistake?

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 13 of 20

Re: Howto add new certificate authorities?

Hi northalpha,

the error message claims that the RootCA which signed the certificate for www.bund.de is not in the list of known CAs on your MWG7 configuration. Did you ensure the CAs are in your list of known RootCAs?

Unfortunately I cannot see this in the Screenshots.

Best,

Andre

Former Member
Not applicable
Report Inappropriate Content
Message 14 of 20

Re: Howto add new certificate authorities?

yes, you are right after importing TCTrustCenterClass2CAII.crt and TCTrustCenterClass2L1CAXI.crt it is working, but to be honest: why change the builtin way to "add CAs" as in the 6.8 Webwasher releases? It was more user friendly than copy and importing by yourself ...

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 15 of 20

Re: Howto add new certificate authorities?

Hi northalpha,

are you talking about the "Inspect certificate" feature in MWG6? The dialogue that presented you with the RootCAs and showed which were denied/allowed?

I agree this was very comfortable. We have something similar for adding certificates to the "Certificate White List", but that does not allow to add RootCAs.

We are working on improving the RootCA experience in the future by having it a list that dynamically updates, so most likely you will not need to manually touch the list in the future. Only for very few RootCAs a manual import may be required, for example for your own, internal CA.

I assume this will be a much better implementation in the future, but at the moment it is - I agree - not the easiest way if importing RootCAs.

Best,

Andre

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 16 of 20

Re: Howto add new certificate authorities?

Hi Andre,

i get error messages from the rule engine when using the CA List from WW6

An internal error occured while processing your request.

URL: https://www.xing.com/
URL Categories: Professional Networking
Current Rule ID: 18068
Current Rule Name: Block Expired Server (7 Day Tolerance) and Expired CA Certificates
Error Message: (10056) Internal rule engine error: property is in unexpected state.


Company Acceptable Use Policy
This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html.

Client IP: x.x.x.x
User Name:ts
Request Protocol and Version: HTTP/1.1
Response Protocol and Version:
Authentication Realm: MYDOMAIN
IsAuthenticated: true
Authentication Method:NTLM

URL Categories: Professional Networking
URL Host: www.xing.com

Body File Name:
Body ClassID:
Media Type (enshured): application/x-empty
Media Type (from Header):
Media Type (is supported): false
Rule Name: Block Expired Server (7 Day Tolerance) and Expired CA Certificates
Rule ID: 18068
Response.Redirect.URL:
URL: https://www.xing.com/
Cacheable: false
Cache Status: TCP_MISS
Rule.FiredRule.Names: Bypass ePO Requests, Header Modifications, Global Block, Global Whitelist, SSL Scanner, Handle CONNECT Call, Set Client Context, Enable Certificate Verification, Default, Block on Antimalware Engine errors, Block on All Errors, Ignore COACHING: untrusted CAs, Authentication (Direct Proxy), Authentication, Authorize, URL Filtering, URL Filter Rules, Enable SafeSearchEnforcer, Common Rules, Web Cache, SPP: Skip Requests That Do Not Carry Information, Enable Opener, Enable Composite Opener, Media Type Filtering, HTML Filtering, Remove Content-Encoding header, Gateway Antimalware, Remove Partial Content for HTTP(s) Requests, Global Block, Global Whitelist, SSL Scanner, Certificate Verification, Default, Block on Antimalware Engine errors, Block on All Errors, Always Block
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 17 of 20

Re: Howto add new certificate authorities?

Hi Thorsten,

that sounds odd. I have just tried to replicate this but I am unable to. What I have done is

- import the XML via Rule Set Library -> Import from File

- Save Changes

- Go to Settings -> Certificate Chain -> Default, change the list from the original list to the newly imported one

- Save again

It seems that the first rule that tries to utilize the list of certificates causes an error. Is there anything in one of the error logs maybe?

Best,

ANdre

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 18 of 20

Re: Howto add new certificate authorities?

Hi Andre,

yes, i did it nearly in the same way.

- imported the xml file

- saved the configuration

- changed the "List of certificate authorities" directly in the rule set

- saved the configuration

- disabled any rule where the CA list is used. (when changing back MWG was only working fine after disable/enable any rule where the CA list was used)

I also enabled/disabled the rules step by step. Andre you are right. Any rule where the imported ca list ist used is not working any more.

I will take a look tomorrow.

Cheers,

Thorsten

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 19 of 20

Re: Howto add new certificate authorities?

Good point 🙂

I have attached an XML which contains the RootCAs as they come with a blank 6.9 installation. You can import the list via the Rule Set library. Thorsten, maybe you want to have a look into the list?

Hint: I have NOT tested this but it looks good. After import you may need to touch the SSL Scanner Ruleset and point it to the correct list of RootCAs!

Best,

Andre

Nachricht geändert durch asabban on 21.07.11 08:35:01 CDT
Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 20 of 20

Re: Howto add new certificate authorities?

Hi Andre,

perfekt, i will take a look in this ruleset 🙂

cheers,

Thorsten

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community