3

I have a PKI tree, and the ironport is a CA at the second level of the PKI tree, (for issuing HTTPS inspection certs)

Although I deployed the root certificate to all clients, and chrome/IE work correctly, Firefox maintains its own certificate store independent of Windows.

I want to only ask the helpdesk to import the Root certificate, and not the Ironport intermediate cert into the Firefox trusted store. I assume that the problem here is similar to other website issues where the device isn't sending "linked/chained" certificates (e.g. sending the root cert inline with the HTTPS Stream)

Since the ironport UI only allows the import of a PEM format certificate, is there any way I can make the ironport send the entire HTTPS public chain to browsers, rather than just the last-mile certificate?

makerofthings7
  • 8,911
  • 34
  • 121
  • 197

1 Answers1

1

In the Ironport web administration page, under Network/Certificates, you can define the various certificates you wish to use for SMTPS and HTTPS.

When defining a new certificate, you can upload the (last step) PKCS#12 certificate.

After this, you can edit the existing certificate via the same page. At the bottom of the page is a collapsed section "Internediate Certificates (optional)". Open this, and it will allow you to upload as many internediate certificates as are necessary to complete the chain.

Now you can assosciate this certificate with your HTTPS service on the Ironport, and it wil send the full certificate chain.

We do this here using QuoVadis certs which require 3 intermediate certificates, and it works.

Steve Shipway
  • 740
  • 5
  • 17