Deploy a Subordinate CA Based On An Organization's Root CA

Procedure

1. Generate the CSR from the Deep Discovery Web Inspector management console.
   1. In a web browser, type the IP address of the Deep Discovery Web Inspector management console.
      https://<management_IP_address>
   2. Go to Policy → HTTPS Inspection.
   3. Click Generate CSR to generate the CSR file.
      The Generate CSR window opens.
   4. Specify the following parameters:

      Option	Description
      Common Name	The Common Name (CN) is typically composed of Host + Domain Name. It can also be the name of the server.
      Country Code	The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
      State/Province	Name of the state or province where your organization is located. Do not abbreviate.
      Locality	Name of the city where your organization is registered or located. Do not abbreviate.
      Organization	The legally-registered name for your business.
      Organizational Unit	The name of the department or organization unit making the request.
      (Optional) Email Address	Email address of the submitter.

   5. Click Generate CSR.
      The following message is displayed: CSR generated successfully, please click to download.
2. Click Download to download the CSR to your local computer.

   Note Deep Discovery Web Inspector only archives one CSR and Private Key. If multiple certificates are needed, generate a CSR after the previous certificate has been imported successfully. Otherwise, the previous CSR and Private Key are replaced.

3. Generate the subordinate certificate from the Microsoft Active Directory Certificate Server.
   The procedure below shows you how to generate a Subordinate Certificate based on Windows Active Directory Certificate Server. You must be an Administrator and sign in to the domain using the format domain\user. If you do not sign in using domain\user, you will not see the Submit an advanced certificate request option on the second page of the requesting a certificate process.
   1. Go to the Microsoft Active Directory Certificate Server main page.
      The URL might look like http://IP_address/certsrv with IP_address being dependent on your environment.
      The Welcome screen opens.
   2. Under Select a task, select Request a Certificate.
      The Request a Certificate screen opens.
   3. Select Advanced certificate request.
      The Submit a Certificate Request or Renewal Request screen opens.
   4. Paste the content of the CSR file generated in the last section into the Saved Request text box.
   5. Under Certificate Template, choose Subordinate Certification Authority, and then click Submit.
      The Certificate Issued screen opens.
   6. Select DER encoded, then click Download certificate.
      While downloading the file, rename the certificate to subca.cer for further use.
4. From the Deep Discovery Web Inspector management console, import the new certificate and private key and enable HTTPS decryption.
   1. Under Certificate, click Browse and import the subca.cer generated in last step.
   2. Under Private Key, click Browse and choose the private key subca.key generated in last section, then import the private key.
   3. Input and confirm the private key password.
   4. Click Verify Certificate.
      The Save button will get focus if the verification is OK.
   5. Click Save.
      The subca.cer takes effect for this policy after the service restarts.
5. For clients where certificates cannot be deployed using Active Directory GPOs, install the certificate on the clients using the procedures provided by the client or operating system vendor.