6 Replies Latest reply on Dec 5, 2011 3:03 PM by abdouahly

    Problem with certifcate in sidewinder


      Dear all I face a problem with certificate in sidewinder Ver. 8.2 as following scenario Where I have Active directory and Microsoft CA and we use the sidewinder as web-gateway with SSL rule (decrypt and r encrypt). My problem when any user try to access the HTTPS site appear notification with untrusted certificate, by troubleshoot find that the issure is becoming the sidewinder for the site and all users didn't trust it. So, I need to trust the sidewinder certificate in active directory by using our CA and I need the all process to do it.

        • 1. Re: Problem with certifcate in sidewinder

          It shouldn't be too difficult and you have a couple of options.


          1. If you are already using the Microsoft CA and the certificates generated by this are trusted by your users, create a new certificate on this server for the Firewall to use, export it and import it into the Firewall using the Maintenance -> Certificate/Key Management screen, placing it in the "Firewall Certificates" section. You may also need to export the Microsoft CA certificate and import it into the Firewall's "Certificate Authorities" tab on the same GUI screen.


          Once the certs have been imported, you should then be able to edit your SSL rules and select the new certficate for the Firewall to use when decrypting and re-encrypting traffic. Because the certificate has been signed by a CA the users already trust, the notification message should disappear.


          2. Export the Firewall's "Default_SSL_Cert" and import it into your user's browsers - either by providing instructions to perform it manually or deploying it automatically via group policy or Active Directory.


          Either method should address your situation.



          • 2. Re: Problem with certifcate in sidewinder

            Dear PhiM

            first many thanks for your quick response

            really I tried this soultions before but the first one didn't work and where can I put the certificate in SSL rule, I didn't find any tab can I use the cerfificate on it.

            about the second solution our policy can't allow it because we have alot of users that will make load in our network and Active directory.

            if you have any document can show me by steps please send it to me.


            Best Regards

            • 3. Re: Problem with certifcate in sidewinder

              Sorry I've never actually done this myself, so I don't have a document.


              In the actual SSL rule you have the means of selecting the certificate to be used, and it is here you will find the "Default_SSL_CA" being used by the Firewall.




              Once you have uploaded a trusted certificate to the Firewall's certificate store, you should then be able to use this certificate instead of the default.


              If you don't have the means of being able to deploy the certificate from a central resource then your only other option is to provide intructions to the users so that they can import the certificate manually into their certificate store.


              Unfortunately this is the one handicap of using SSL rules, because the Firewall has to break the SSL connection in order to be able to inspect the content, bit with the original certificate now "used", as such, it needs to use a fresh certificate to perform the re-encryption.

              • 4. Re: Problem with certifcate in sidewinder

                Dear PhiM

                Really after uploading the certificate there is no certificate appear in the RSA key location as appear in below pictures also the same in DSA or Local CA.



                • 5. Re: Problem with certifcate in sidewinder

                  I may be wrong, but the field I think you should be using is the one below "Local CA used to sign server cert:".


                  If that doesn't work then I'd recommend that you give McAfee support a try.

                  • 6. Re: Problem with certifcate in sidewinder

                    Dear PhiM

                    Many thanks for you effort and already as I told before no more certificate in Local CA location just only The defualt certificate.

                    Really I appreciate your serious support and I will try to send to McAfee support.