Solved: Re: THANKS!

CiscoFSYR · ‎07-21-2017

Let me preface this question by saying that I'm not asking how to install an SSL for HTTPS Proxy for Transparent Redirection. I've already done that and it's working.

What I would like to know is how to change the SSL certificate the appliance is using for the web interface.

e.g. When I browse to the device in Internet Explorer (https://%FQDN%:8443), I get a 'Problem with this website's security certificate' error because the appliance is using the Demo Appliance cert for the web interface.

How can I replace the Demo Appliance certificate on the web interface so this error doesn't happen?

Ken Stieers · ‎07-21-2017

I totally misread which cert you wanted to replace... sorry.

You have to generate the cert completely outside the WSA (eg use OpenSSL, or IIS, or the Certifcates mmc), then use the CLI, and run certconfig.

It will want you to upload the cert and key in PEM format.

View solution in original post

Ken Stieers · ‎07-21-2017

Yes, you can!

You actually have 2 options here:

1. Download the demo cert, and go to your Group Policy that is applied to all of your workstations and add that Demo cert to the "Trusted Root Certification Authorities" under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies

2. If you already have an Enterprise Root CA installed (which would have add ITs root to the group policy at install), you have 2 options:

a. you can use that CA to issue a new Subordinate CA cert and install that cert on the WSA

b. you can take the Root cert from the CA and put that on the WSA.

In my opinion, the "most correct" option is 2a, followed by 1...

Once deployed, IE and Chrome will be fine, Firefox may still be using it own Trusted Cert store, so those users will have to import it by hand... which makes 2a more attractive if you're issuing certs to other internal web sites...

For clarity, what's going on is that the WSA gens up a new cert for every HTTPs site you visit, signed by the cert that is installed on, so for your browser to trust this new cert, it has to trust the installed cert as a root cert.

CiscoFSYR · ‎07-21-2017

Where do I go to do that?

I've already requested a cert from our internal CA and issued that to the WSA through the "Security Services > HTTPS Proxy" page. But the WSA is still using the Demo Cert when I try to login to the device to manage it.

P.S. I tried downloading the cert and manually installing it on my computer in the 'Trusted Root CA' store, but I'm still getting that error when I try to login to the device.

Ken Stieers · ‎07-21-2017

I totally misread which cert you wanted to replace... sorry.

You have to generate the cert completely outside the WSA (eg use OpenSSL, or IIS, or the Certifcates mmc), then use the CLI, and run certconfig.

It will want you to upload the cert and key in PEM format.

CiscoFSYR · ‎07-21-2017

That did it, thanks!

Is that listed in any documentation? I swear I've read every single guide on WSAs and I've never seen information about using the CLI and that command to replace the cert for the web UI login.

Ken Stieers · ‎07-21-2017

Its in the CLI section of the User Guide, but its not really spelled out well...

CiscoFSYR · ‎07-21-2017

THANKS!

kunal shahasuno · ‎04-03-2018

1) If we procure suggested certificate, will it affect any web communication considering older browsers and OS?

2) Will same certificate be used for Web Management and Proxy communication?

3) Will all mentioned / highlighted vulnerbalities be overcome after deploying the certificate?

Ken Stieers · ‎04-03-2018

Assuming your talking about the cert for the management interface?

1. ??

2. No, this is never the case. They're always different certs.

3. The only thing this addressed was the management interface

orkhan.rustamli.96 · ‎11-28-2018

I have changed the HTTPS interface certificae and mande setup throguh CLI -> certconfig. I have rebooted the appliance but when i enter the web page i still see the old certificate. What can be reason?

keithsauer507 · ‎11-16-2021

Did you ever find out in the last 3 years how to "Activate" the new web GUI cert? In Network > Certificate Management I just have the new appliance cert there. I also ran certconfig in CLI to select it. I rebooted and when it came up just to make sure my browser isn't caching anything, I went to it in incognito mode and its still the old expired cert.

Ken Stieers · ‎11-16-2021

So, I just did this on my beta box running 14.0.1-053
Network/Certificate Management.. in the Appliance Certificates section, add a cert, add any intermediate and root certs it needs.
Then in the cli, run certconfig
Enter "setup", confirm that you want to set it, pick "select" and then select the certificate you uploaded.
Commit it.

erik.lei · ‎08-29-2022

I have the same issue. Added new certificate, ran certconfig in CLI, selected the new one, uploaded the intermediate certificate.

CLI showed 'successfully updated the certificate for HTTPS management access'

Opened web UI in incognito, still the old certificate.

AsyncOS 14.5

amojarra · ‎08-30-2022

Steps to change/Configure Web Interface Certificate on WSA:

[1] From the webUI under Network (in the top menu)

[2] Select Certificate Management

[3] Under Appliance Certificates Select Add Certificate...

[4] Select Certificate Type (Self Signed Certificate or Import Certificate)

[5]

[5-1] If you select the Self-Signed Certificate:

[5-1-1] complete the fields

Note: The Private key size must be in the range of 2048 to 8192.

[5-1-2] Click Next

[5-1-3] You can Download the CSR (Download Certificate Signing Request...) and Sign it with your organization's CA Server then Upload the Signed certificate and submit

OR

[5-1-4] You can Submit if the current Self-Signed Certificate is appropriated

[5-2] If you select Import Certificate :

[5-2-1] Import Certificate File (PKCS#12 format is required.)

[5-2-2] Type the Password

[5-2-3] click Next

[6] Commit Changes

[7] Navigate to CLI

[8] type certconfig

[9] type SETUP

[10] type Y

Note: When the certificate is changed, administrative users who are currently logged in to the web user interface can experience a connection error and could lose unsubmitted changes. This will occur only if the certificate is not already marked as trusted by the browser.

[11] type 2 to select from available list of certificates

[12] Type the Number of desired Certificate

[13] if you intermediate certificate, and want to add them Type Y else type N

Note: if you need to add the intermediate certificate you have to paste the intermediate cert in PEM format and end with '.' (just dot).

[14] commit changes

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

erik.lei · ‎08-30-2022

I exactly did these steps one by one. Web UI still picks up the old certificate expired ages ago which even not appeared in the certificate management.

The only difference is in step [5-2-1] Import Certificate File (PKCS#12 format is required.) Our WSA asks for PEM format certificate not PKCS#12.

Change Web Interface Certificate on WSA

Steps to change/Configure Web Interface Certificate on WSA: