This article contains instructions for creating a custom root certificate (which is used in place of the standard Cisco Umbrella Root CA certificate) using Microsoft Windows Active Directory Certificate Services, and then using that root certificate to sign a Certificate Signing Request (CSR) from Umbrella's Customer CA-signed CA certificate feature.
- A version of Microsoft Windows Server which is currently supported by Microsoft
- Active Directory Certificate Services installed on the Windows Server
- An account with the Active Directory Certificate Services and Web Service/Web Enrolment Service roles
- Certificate Services configured to issue certificates with UTF-8 encoding ("UTF8STRING")
Certificate string encoding
If your Certificate Services is configured to use the default encoding ("PRINTABLESTRING") then the certificate chain produced may not be trusted by certain web clients, most notably Firefox.
The Cisco Umbrella Secure Web Gateway proxy uses a certificate chain which encodes strings with UTF8STRING encoding. If your issuing certificate (for example, your root certificate) which signs the CSR to create the Cisco Umbrella Customers CA intermediate certificate is encoded with PRINTABLESTRING, then the encoding of the Cisco Umbrella Customers CA certificate's Subject field will be PRINTABLESTRING. This encoding will not match the UTF8STRING encoding of the Issuer field in the Cisco Umbrella R1 CA intermediate certificate, which is next in the certificate chain.
RFC 5280 Section 18.104.22.168 requires that a certificate chain maintain the same string encoding between the Issuer field of an issued certificate and the Subject field in the issuing certificate:
When the subject of the certificate is a CA, the subject field MUST be encoded in the
same way as it is encoded in the issuer field (Section 22.214.171.124) in all certificates
issued by the subject CA.
Many browsers do not enforce this requirement, but some--most notably Firefox--do. As a result, web clients such as Firefox will generate an untrusted site error and not load websites when using SWG with the Customer CA-signed CA certificate feature.
To work around this issue, use a browser such as Chrome which does not enforce RFC 5280's requirement.
Step 1: Preparing AD Certificate Services Template
- Open the Active Directory Certification Authority MMC by navigating to Start -> Run -> MMC
- Click File -> Add/Remove Snap-in and add the Certificate Templates and Certification Authority snap-ins. Click OK
- Expand Certificate Templates and right-click on Subordinate Certification Authority. Click on Duplicate Template.
We will now create a custom certificate template to comply with the requirements listed in our documentation.
We will highlight the requirements that are detailed at the time of this articles creation.
- Give the template a name which has meaning to you.
- Set the Validity Period for 35 Months (3 years less a month)
- Set the Renewal Period to 20 Days
- Double-click on Basic Constraints
- Ensure that Make this extension critical is ticked
- Under Key Usage
- Ensure that Certificate Signing & CRL Signing are ticked.
- Untick Digital Signature.
- Ensure Make this extension critical is ticked here too.
- Double-click on Basic Constraints
- Click Apply and OK
Step 2: Issue the Template
- Now back in the MMC we set up in step 2 of the previous process, expand the Certificate Authority section.
- In the newly expanded section, right-click on the Certificate Templates folder and click New -> Certificate Template to Issue.
- In the new window select the name of the certificate template we created in the last section. and click OK.
The CA is now ready to facilitate the request.
Step 3: Downloading and Signing the CSR
- Login to your Umbrella Dashboard (https://dashboard.umbrella.com)
- Navigate to Deployments - Root Certificate
- Click the Add (+) Icon in the upper-right hand corner and name your CA in the new window.
- Download the Certificate Signing Request (CSR)
- In a new browser tab navigate to web services for Active Directory Certificate Services. (If you are using local machine this would be 127.0.0.1/certsrv/ or similar.
- In the new page select Request a Certificate
- Select Advanced Certificate Request
- Under Saved Request, copy paste the contents of the CSR we downloaded in step 4 (you will need to open it with a text editor)
- Under Certificate Template select the name of the certificate template we created in the Preparing the Certificate Template section and click Submit
- Ensure to select Base64 Encoded and Select Download Certificate and make note of the .cer file location.
Step 4: Upload your the signed CSR (and Public Root Cert)
- On your Umbrella Dashboard once again navigate to Deployment -> Root Certificate
- Click on the root certificate we created in Step 3 of the previous section
- Click Upload CA at the bottom right hand corner of the line ***
- Click the top Browse button [Certificate Authority (Signed CSR)]
- Browse to the location of the .cer file we created in the previous section and hit save.
- Click Next and select the groups of computers/users you would like the certificate to be used with (instead of the Cisco Root Certificate) and hit Save
*** - You may also upload the CA certificate optionally. This can be retrieved from the web interface of your certification authority server (http://127.0.0.1/certsrv/) and then selecting Download a CA Certificate, Certificate Chain, or CRL. Follow the onscreen prompts to 'Download the CA certificate' in Base 64