Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate certificate authority
Creating a subordinate certificate authority
Help | Content Gateway | v8.5.x
Creating a subordinate certificate authority (sub CA) enables you to take advantage of all the information already existing for your Root CA. However, the Root CA can revoke the sub CA at any time.
Follow these steps to generate a sub CA using OpenSSL and the certificate services in Microsoft Windows.
Preparation
*
If you are not the Enterprise domain administrator, you will need to work with that person to get the correct domain permissions to generate a sub CA.
*
Install the OpenSSL toolkit (www.openssl.org) on a Windows or Linux machine.
Creating a Certificate Signing Request (CSR)
1.
Log on to the Windows or Linux machines with root or Administrator permissions.
2.
Open a Command Prompt or command shell.
3.
Enter the following openssl command:
openssl req - sha256 -new -newkey rsa:2048 -keyout wcg.key -out wcg.csr
4.
There will be a series of questions. Answer each question and make note of the challenge password; it will be needed later in the process.
The openssl command generates 2 files:
*
wcg.csr is the CSR that will be signed by the Certificate Authority to create the final certificate.
*
wcg.key is the private key.
5.
If you created the CSR on a Linux system, copy it to your Windows host with WinSCP or some other file transfer utility.
Signing the request
To use Microsoft Certificate Services to sign the request:
1.
Open wcg.csr with WordPad (to preserve the formatting) and copy the contents onto the clipboard (Edit > Select all; Edit > Copy).
2.
In Internet Explorer, enter the following URL to go to the Microsoft CA server:
http://<CA_server_IP_address>/certsrv/
The Certificate Services applet starts.
3.
Under Select a task, click Request a certificate.
4.
On the Request a Certificate page, click the link to submit an advanced certificate request.
5.
On the Advanced Certificate Request screen, select the Submit a certificate request by using a base-64-encoded CMC... link.
6.
On the Submit a Certificate Request or Renewal Request screen, paste the content of the wcg.csr file (previously placed on the clipboard) in the field provided and click Submit.
7.
The certificate is issued and the Certificate Issued screen displays.
If, instead, the Certificate Pending screen displays, you do not have sufficient privileges to create a sub CA. Contact your Enterprise domain administrator to complete the certificate creation process before proceeding.
8.
Select the Base 64 encoded radio button, and then select Download certificate.
9.
Save the certificate to your desktop. Later you will import it into Content Gateway.
With the base 64 encoded certificate on your desktop, along with the private key created during the CSR generating process, you are ready to import both into Content Gateway. See Importing your Root CA for instructions.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate certificate authority
Copyright 2023 Forcepoint. All rights reserved.