I had to create both a user interface certificate and a subordinate CA from our internal Windows CA and had a few issues.
I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
This guide is for creating the User Interface Certificate. I have posted another for the Subordinate CA.
As the title of the post suggest, it's an RFC too so please comment
Version is 7.3.0 (13875)
I based this on information in the following posts and my own trial & error:
1. Export your internal CA from your PC certificate store. Importing the certificate chain does not work so export in Base-64 encoded.
1.1. On your PC > MMC > Add Certificates snap-in > either My user account or Computer account
1.2. Expand Certificates > Trusted Root Certification Authorities > Certificates
1.3. Highlight _your_internal_CA_ > right-click > All Tasks > Export
1.4. Select Base-64 encoded > Next > save locally
2. Logon to the mwg via ssh
3. Run this command to create the csr & create a PEM pass phrase:
openssl req -out testmgw.csr –new
[root@MWG ~]# openssl req -out testmgw.csr -new
Generating a 2048 bit RSA private key
writing new private key to 'privkey.pem' <---Note that private key is being created here
Enter PEM pass phrase: <---Enter suitable passphrase
Verifying - Enter PEM pass phrase: <---Confirm passphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]: <---Change to site country
State or Province Name (full name) : <---Change to site location or leave blank
Locality Name (eg, city) [Default City]: <---Change to site city or leave blank
Organization Name (eg, company) [Default Company Ltd]: <---Change to co. name
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) : <---Enter either servername/ IP here
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : <---Leave blank
An optional company name : <---Leave blank
4. Create an RSA private key by running the openssl command below & fill in the details
openssl rsa -in privkey.pem -des3 -out testmwg.pem
[root@MWG ~]# openssl rsa -in privkey.pem -des3 -out testmwg.pem
Enter pass phrase for privkey.pem:
writing RSA key
Enter PEM pass phrase: <---passphrase from step 3
Verifying - Enter PEM pass phrase: <-- verify passphrase
[root@MWG ~]# ls -l
-rw-r--r-- 1 root root 1834 Mar 4 12:47 privkey.pem
-rw-r--r-- 1 root root 985 Mar 4 12:47 testmgw.csr
-rw-r--r-- 1 root root 1743 Mar 4 12:50 testmwg.pem
5. Copy the testmwg.csr and testmwg.pem files off the mwg using winscp or similar
6. Use the testmwg.csr to get a server certificate from https://<yourinternalca>/certsrv/ > Select Request a certificate
7. Select "Submit a request by using base-64-encoded…"
8. Open the testmwg.csr file in notepad and copy into the Saved Request field > template is Web Server > Submit
9. Download the certificate [certificate only; NOT certificate chain] in Base 64 encoded.
10. Logon to the Web Gateway > Click Configuration tab > expand Appliances (Cluster) > servername > User Interface > User Interface Certificate > Import
11. Browse to the files > enter private key password > OK
Files needed are the internal root CA from step 1 , the *.pem created in step 4 & the *.cer downloaded in step 9
12. Save Changes > Log out > close browser.
When next logging on should be no certificate errors. You can also now host the proxy.pac and serve over https
Hope this helps