1 Reply Latest reply on Aug 15, 2017 7:36 PM by DBO

    Creating a User Interface Certificate Guide (7.3.0) - RFC

    itsec

      I had to create both a user interface certificate and a subordinate CA from our internal Windows CA and had a few issues. 
      I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
      This guide is for creating the User Interface Certificate.  I have posted another for the Subordinate CA.

      As the title of the post suggest, it's an RFC too so please comment
      Version is 7.3.0 (13875)

      I based this on information in the following posts and my own trial & error:

       

      https://community.mcafee.com/thread/40718?start=10&tstart=0
      https://community.mcafee.com/message/214051#214051
      https://community.mcafee.com/message/265098#265098 

       

      1.      Export your internal CA from your PC certificate store.  Importing the certificate chain does not work so export in Base-64 encoded.
      1.1.      On your PC > MMC > Add Certificates snap-in > either My user account or Computer account

      1.2.      Expand Certificates > Trusted Root Certification Authorities > Certificates

      1.3.      Highlight _your_internal_CA_ > right-click > All Tasks > Export
      1.4.      Select Base-64 encoded > Next > save locally

       

      2.      Logon to the mwg via ssh

       

      3.      Run this command to create the csr & create a PEM pass phrase:

      openssl req -out testmgw.csr –new

       

      [root@MWG ~]# openssl req -out testmgw.csr -new
      Generating a 2048 bit RSA private key
      .....................+++
      .........+++
      writing new private key to 'privkey.pem'                                          <---Note that private key is being created here
      Enter PEM pass phrase:                                                                     <---Enter suitable passphrase
      Verifying - Enter PEM pass phrase:                                                  <---Confirm passphrase
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [XX]:                                                      <---Change to site country
      State or Province Name (full name) []:                                                <---Change to site location or leave blank 
      Locality Name (eg, city) [Default City]:                                                 <---Change to site city or leave blank
      Organization Name (eg, company) [Default Company Ltd]:            <---Change to co. name
      Organizational Unit Name (eg, section) []:    
      Common Name (eg, your name or your server's hostname) []:      <---Enter either servername/ IP here
      Email Address []:

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:                                                                        <---Leave blank
      An optional company name []:                                                              <---Leave blank
      [root@MWG ~]#


      4.      Create an RSA private key by running the openssl command below & fill in the details

                     openssl rsa -in privkey.pem -des3 -out testmwg.pem


      [root@MWG ~]# openssl rsa -in privkey.pem -des3 -out testmwg.pem
      Enter pass phrase for privkey.pem:
      writing RSA key
      Enter PEM pass phrase:                                                                     <---passphrase from step 3
      Verifying - Enter PEM pass phrase:                                                    <-- verify passphrase  


      [root@MWG ~]# ls -l
      -rw-r--r-- 1 root root 1834 Mar  4 12:47 privkey.pem
      -rw-r--r-- 1 root root  985 Mar  4 12:47 testmgw.csr
      -rw-r--r-- 1 root root 1743 Mar  4 12:50 testmwg.pem
      [root@MWG ~]#


      5.      Copy the testmwg.csr and testmwg.pem files off the mwg using winscp or similar

       

      6.      Use the testmwg.csr to get a server certificate from https://<yourinternalca>/certsrv/ > Select Request a certificate

       

      7.      Select "Submit a request by using base-64-encoded…"

       

      8.      Open the testmwg.csr file in notepad and copy into the Saved Request field > template is Web Server > Submit

       

      9.      Download the certificate [certificate only; NOT certificate chain] in Base 64 encoded.

       

      10.      Logon to the Web Gateway > Click Configuration tab > expand Appliances (Cluster) > servername > User Interface > User Interface Certificate > Import

       

      11. Browse to the files > enter private key password > OK

                      Files needed are the internal root CA from step 1 , the *.pem created in step 4 & the *.cer downloaded in step 9

       

      12. Save Changes > Log out > close browser. 

       

       

      When next logging on should be no certificate errors.  You can also now host the proxy.pac and serve over https

       

      Hope this helps

      :-)