Cross-signing the CA Certificate for TMWS On-Premises

This section describes how to cross-sign your CA certificate with the CSR file for use by the on-premises gateway.

  1. Check the following:
    • Your organization's CA certificate and the corresponding CA private key and its passphrase are already available.

    • The Path Length Constraint in your organization's CA certificate is set to None, so that there is no restriction on the CA certificates down in the hierarchy.

    • The administrator has a basic knowledge of openssl commands.

  2. Create a folder named CrossSignTMWSCA_onprem.
    Note:

    The names of the folders and files created in this section are user customizable.

  3. Go to the newly created folder.
  4. Create a subfolder named newcerts.
  5. Create an empty file named certindex.
  6. Create a file, copy and paste the following text, and then save it as serialfile:
    000a
  7. Create a file, copy and paste the following text into the file, and then save it as tmws_ca.csr:
    -----BEGIN CERTIFICATE REQUEST-----
    MIICoDCCAYgCAQAwWzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
    DAJDVTEOMAwGA1UECgwFVFJFTkQxDDAKBgNVBAsMA0lXUzEUMBIGA1UEAwwLVFJF
    TkQuSVdTLjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc1NKr7o9A
    aGW4C6nSKYzWvEvgJdHgzQ/ehGwx1N/bLlbS01zNC5ceHUpd61BYIWNkHRKOuJVR
    K/ahN1CImp56PhcfpEAfxYVaiQXFDpgJws3eJbnaQkUv2NTu346zgkQkvheP2yh5
    pbPOT3jn7x1MLfQJxzQVaIz969JqfBdYZzLttCmc6cLWUe8L8OzFXb2XYb/E7ths
    58tDQ25+ZAAf+U7/pwZH4WE+9v+qBXfvbrkkF9Z7H0wLQPLLmV9kY9p0B8soss6N
    zXk23qTuN3auYnU6CuS9W8eAaoud42SDjyBt8Jd6VYb9fKWCcLOrfPfa9zvPcEhz
    GW/OEUrp/BnlAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhEex28QGiE1I9sr
    aPxbJQH0nuBuSZpoUjRjISRuf5yXZpcC1EUHuyANOYG2RbtKBYkbVtCOEsWeyr05
    FxiD2HCncL0SPglVUtW1b98AqzEeJfID8oopY1clWgjdTLGAnr8aRUjjpnyy1VX7
    3Z8xBxmnz1ttvFAgPr6uQV0VnG1DzKgmqTetNiIOp9b0sJzZD9wy3l472VqBZoZh
    waT0juUw9mgLEZT3srB2BIWzdVUbCIWQifTxlGU8y5qu4FGesYt29PWh3M251P1v
    5Pe7W56QtJkEi3v2vjSDe3S7WTkUdmrwsNtyCk/Xw+E14lDuzCG4pQtUYPtscILw
    hFcOPg==
    -----END CERTIFICATE REQUEST-----
               
  8. Create a file, copy and paste the following text into the file, and then save it as a configuration file named myca.conf:
    [ca]
    default_ca = rootca
    
    [crl_ext]
    #issuerAltName=issuer:copy  #this would copy the issuer name to altname
    authorityKeyIdentifier=keyid:always
    
    [rootca]
    new_certs_dir = newcerts
    unique_subject = no
    certificate = root.cer  #Your organization's CA certificate
    database = certindex
    private_key = root.key  #Your organization's CA private key
    serial = serialfile
    default_days = 3660     #Should be at least two years from the date of cross-signing
    default_md = sha256     #sha256 is required.
    policy = myca_policy
    x509_extensions = myca_extensions
    
    [ myca_policy ]
    countryName = supplied
    stateOrProvinceName = supplied
    localityName = supplied
    organizationName = supplied
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    
    [ myca_extensions ]     #These extensions are required.
    basicConstraints = CA:true
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always
    keyUsage = keyCertSign, cRLSign
  9. Run the following command to cross-sign your organization's CA certificate using the CSR file: openssl ca -batch -config myca.conf -notext -days 7320 -in tmws_ca.csr -out tmws_ca.cer

    A cross-signed certificate named 0A.pem is generated under folder newcerts.

  10. Go to HTTPS INSPECTION > Decryption Rules and upload the certificate in the Cross-signed certificate for on-premises part of the Certificate section of a decryption rule as necessary.