For my first post here I bring you a really weird problem.
For a customer I have build a cluster of two 1100e appliances. App 1 is the master App 2 a node. At this point the master is also the CA. Because the CA is a selfsigned CA users are getting a warning when opening a https page through the appliance. The customer does not have a CA server in its network so I have to request a certificate at a trusted authority. I chose to request a 30 day free certificate first for testing. I did the following steps:
- Make a CSR on the master (made a key file and put in a password at the csr dialog). I followed the manual on this one.
- I uploaded the CSR file to a public CA and received my certificate.
- On the appliance under certificate management I uploaded the certificate, key file and password.
- The appliance accepted the certificate.
- Rebooted the appliance.
- After the reboot I checked the CA under certificate management and I got back a working validated certificate.
My problem is that none of the https pages going trough the appliance are working. no error messages, just "page cannot be displayed". The https management page on the appliance is also not working any more. My second problem is that the node appliance copied the certificate from the master, which is signed to the master hostname not the node's. How do I prevent the node copying the certificate so I can upload a publicly signed one signed to its hostname?
Any help would be greatly appreciated.
I have also submitted a support ticket for this problem but so far they have not found any solution. Can someone tell me if I did the correct steps to assign a CA to my appliance? My goal is to have SSL scanning without a self-signed certificate warning for the end users.
It cannot be done.
In order for MWG to perform SSL scanning it has to be a CA or sub-ordinate CA that has the ability to generate other SSL certs.
A public CA will not issue a certificate that has signing authority for other SSL certs.
Therefore, the only way to do SSL scanning is to have MWG as its own CA, or as a sub-ordinate CA from an internal Certificate authority. If you had a Microsoft CA already on the domain and its CA certificate has been distributed to the clients already, by making MWG a sub-ordinate from your own MS CA, you could do SSL scanning because the MS CA is already deployed to the client.
There is no other way for MWG or any other SSL decryption product.
Thanks. Looks like I will have to try to get the customer to implement a CA server. The documentation from McAfee could be better on this topic.
Some of this information is already discussed in the documentation.
Please see PD22642 on page 41 (https://kc.mcafee.com/corporate/index?page=content&id=PD22642) for importing a sub-ordinate CA from a microsoft authority.
Let me know if you were looking for different information, and I'll see if I can find any other resources.
~jonMessage was edited by: Jon Scholten on 6/17/10 9:50:23 AM CDT