0 Replies Latest reply on Mar 8, 2013 7:25 AM by itsec

    Creating a Subordinate CA (7.3.0) Guide - RFC


      I had to create both a user interface certificate and a subCA from our internal Windows CA and had a few issues. 
      I have managed to fix it with the aid of various posts on this forum and trial & error but thought it may be useful to create a definitive guide so here goes...
      This guide is for creating the Subordinate CA.  I have posted another for the User Interface Certicate: https://community.mcafee.com/message/278401#278401

      As the title of the post suggest, it's a RFC too so please comment
      Version is 7.3.0 (13875)

      I based this on information in the following posts and my own trial & error:



      1.      On the internal CA website https://<yourinternalca>/certsrv/ > Request cert > advanced cert > template: Subordinate Cert Auth
                 Fill in details:
      Name:      <---<choose a suitable name>


      Other details:

      • Create new key set with key size 1024
      • Automatic key container name
      • Mark as exportable
      • Format: CMC


      2.      Install to PC and then export including private key (eg export.pfx)
                      Include all certs in path
                      Enable strong protection


      3.      Copy export.pfx file to MWG using WinSCP


      4.      Logon to the mwg via ssh


      5.      Run these commands from the ssh session:

                openssl pkcs12 -in export.pfx -nokeys -out CA.crt


      [root@MWG ~]# openssl pkcs12 -in export.pfx -nokeys -out CA.crt
      Enter Import Password:     <---use password used to create the cert
      MAC verified OK

      [root@MWG ~]# ls

      CA.crt  export.pfx


                     openssl pkcs12 -in export.pfx -cacerts -nodes -out CA.key


      [root@MWG ~]# openssl pkcs12 -in export.pfx -cacerts -nodes -out CA.key
      Enter Import Password:
      MAC verified OK

      [root@MWG ~]#  ls
      CA.crt  CA.key  export.pfx



      6.      Use the CA.key to write the rsa key:

                openssl rsa -in CA.key -des3 -out newCA.pem


      [root@MWG ~]# openssl rsa -in CA.key  -des3 -out newCA.pem
      writing RSA key
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:


      7.      Use WinSCP to copy CA.crt & newCA.pem to PC


      8.      Open WebGUI and browse to Policy > Settings tab > Engines > SSL Client Context with CA > right-click Add > Name > Import


      9.      Browse to files – make sure use root CA for the certificate chain - see post "Creating a User Interface Certicate - Definitive guide - RFC"

      [https://community.mcafee.com/message/278401#278401] for details on exporting that


      10.      OK > logout > close browser


      When next going to blocked https site (e.g https://docs.google.com) you can check the certificate & certificate path. 
      It should contain the internal root CA, the MWG and then an entry for the website that is blocked eg docs.google.com.


      Hope this helps