Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate CA
Creating a subordinate CA
Help | Content Gateway | Version 8.0.x
Creating a subordinate certificate authority (sub CA) enables you to take advantage of all the information already existing for your Root CA. However, the Root CA can revoke the sub CA at any time.
Follow these steps to generate a sub CA using OpenSSL and the certificate services in Microsoft Windows.
Preparation
*
If you are not the Enterprise domain administrator, you will need to work with that person to get the correct domain permissions to generate a sub CA.
*
Install the OpenSSL 1.0.1e toolkit (www.openssl.org) on a Windows or Linux computer.
Creating a Certificate Signing Request (CSR)
1.
Create a CSR with OpenSSL.
In a Windows Command Prompt or on the Linux command line, create a CSR with the following openssl command:
openssl req -new -newkey rsa:2048 -keyout wcg.key -out wcg.csr
2.
There will be a series of questions. Answer each question and make note of the challenge password; it will be needed later in the process.
The openssl command generates 2 files:
*
wcg.csr -- the CSR that will be signed by the Certificate Authority to create the final certificate
*
wcg.key -- the private key
3.
If you created the CSR on a Linux system, copy it to your Windows host with WinSCP or some other file transfer utility.
Signing the request
You must sign the request with Microsoft Certificate Services.
1.
Open wcg.csr with WordPad (to preserve the formatting) and copy the contents onto the clipboard (Edit > Select all; Edit > Copy).
2.
In Internet Explorer, go to the Microsoft CA server.
Enter the following URL:
http://<CA_server_IP_address>/certsrv
The Certificate Services applet starts.
3.
On the Welcome screen, below the Select a task heading, select Request a certificate. The Request a certificate page displays.
4.
Select to submit an advanced certificate request.
5.
On the Advanced Certificate Request screen, select Submit a certificate request by using a base-64-encoded CMC. The Submit a Certificate Request or Renewal Request screen displays.
6.
On the Submit a Certificate Request or Renewal Request screen, paste the content of the wcg.csr file (previously placed on the clipboard) in the Certificate Template drop down window and click Submit.
The certificate is issued and the Certificate Issued screen displays. If, instead, the Certificate Pending screen displays, you do not have sufficient privileges to create a sub CA. Contact your Enterprise domain administrator to complete the certificate creation process and then proceed to step 7.
7.
Select the Base 64 encoded radio button and then select Download certificate. Save the certificate to your desktop. Later you will import it into Content Gateway.
With the base 64 encoded certificate on your desktop, along with the private key created during the CSR generating process, you are ready to import both into Content Gateway.
Importing the sub-CA into Content Gateway
1.
Open the Content Gateway manager and go to Configure > SSL > Internal Root CA > Import Root CA.
2.
Browse to select the certificate. The certificate must be in X.509 format and base-64-encoded.
3.
Browse to select the private key. It must correspond to the certificate you selected in step 2.
4.
Enter and then confirm the passphrase.
5.
Click Import Root CA.
6.
Restart Content Gateway.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate CA
Copyright 2016 Forcepoint LLC. All rights reserved.