Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate CA
Creating a subordinate CA
Help | Content Gateway | Version 7.7.3
Creating a subordinate certificate authority (sub CA) enables you to take advantage of all the information already existing for your Root CA. However, the Root CA can revoke the sub CA at any time.
Follow these steps to generate a sub CA using OpenSSL and the certificate services in Microsoft Windows.
Preparation
*
If you are not the Enterprise domain administrator, you will need to work with that person to get the correct domain permissions to generate a sub CA.
*
Install the OpenSSL 0.9.8(x) toolkit (www.openssl.org) on a Windows or Linux computer.
Creating a Certificate Signing Request (CSR)
1.
Create a CSR with OpenSSL.
In a Windows Command Prompt or on the Linux command line, create a CSR with the following openssl command:
openssl req -new -newkey rsa:2048 -keyout wcg.key -out wcg.csr
2.
There will be a series of questions. Answer each question and make note of the challenge password; it will be needed later in the process.
The openssl command generates 2 files:
*
wcg.csr -- the CSR that will be signed by the Certificate Authority to create the final certificate
*
wcg.key -- the private key
3.
If you created the CSR on a Linux system, copy it to your Windows host with WinSCP or some other file transfer utility.
Signing the request
You must sign the request with Microsoft Certificate Services.
1.
Open wcg.csr with WordPad (to preserve the formatting) and copy the contents onto the clipboard (Edit > Select all; Edit > Copy).
2.
In Internet Explorer, navigate to the Microsoft CA server.
Enter the following URL:
http://<CA_server_IP_address>/certsrv
The Certificate Services applet starts.
3.
On the Welcome screen, below the Select a task heading, select Request a certificate. The Request a certificate page displays.
4.
Select to submit an advanced certificate request.
5.
On the Advanced Certificate Request screen, select Submit a certificate request by using a base-64-encoded CMC. The Submit a Certificate Request or Renewal Request screen displays.
6.
On the Submit a Certificate Request or Renewal Request screen, paste the content of the wcg.csr file (previously placed on the clipboard) in the Certificate Template drop down window and click Submit.
The certificate is issued and the Certificate Issued screen displays. If, instead, the Certificate Pending screen displays, you do not have sufficient privileges to create a sub CA. Contact your Enterprise domain administrator to complete the certificate creation process and then proceed to step 7.
7.
Select the Base 64 encoded radio button and then select Download certificate. Save the certificate to your desktop. Later you will import it into Content Gateway.
With the base 64 encoded certificate on your desktop, along with the private key created during the CSR generating process, you are ready to import both into the Content Gateway SSL Manager.
Importing the sub-CA into SSL Manager
1.
Open Content Gateway Manager and navigate to Configure > SSL > Internal Root CA > Import Root CA.
2.
Browse to select the certificate. The certificate must be in X.509 format and base-64-encoded.
3.
Browse to select the private key. It must correspond to the certificate you selected in step 2.
 
Note 
The certificate and private key format must match.
Additionally, the private key format must match the format required by the importing node.
*
When FIPS is enabled, Content Gateway requires an encrypted private key for importing a CA.
*
When FIPS is disabled, Content Gateway requires an RSA private key for importing a CA.
To verify the certificate and private key format, view the files in a text based editor. The Internal Root CA (PCAcert.pem) and private key (PCAkey.pem) are stored by default in /opt/WCG/sxsuite/conf/CA_default/PCA. If the certificate and private key you are importing are saved to a different location, navigate to that location to view the files.
For information on converting the private key format, see:
*
Importing a CA between a non-FIPS & FIPS enabled node
*
Converting an encrypted private key to an RSA key
4.
Enter and then confirm the passphrase.
5.
Click Import Root CA.
6.
Restart Content Gateway.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Internal Root CA > Creating a subordinate CA