Cross-signing the CA Certificate for TMWS On-Premises

Procedure

1. Check the following:
   • Your organization's CA certificate and the corresponding CA private key and its passphrase are already available.
   • The Path Length Constraint in your organization's CA certificate is set to None, so that there is no restriction on the CA certificates down in the hierarchy.
   • The administrator has a basic knowledge of openssl commands.
2. Create a folder named CrossSignTMWSCA_onprem.

   Note The names of the folders and files created in this section are user customizable.

3. Go to the newly created folder.
4. Create a subfolder named newcerts.
5. Create an empty file named certindex.
6. Create a file, copy and paste the following text, and then save it as serialfile:

   000a

7. Create a file, copy and paste the following text into the file, and then save it as tmws_ca.csr:

   -----BEGIN CERTIFICATE REQUEST-----
   MIICoDCCAYgCAQAwWzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
   DAJDVTEOMAwGA1UECgwFVFJFTkQxDDAKBgNVBAsMA0lXUzEUMBIGA1UEAwwLVFJF
   TkQuSVdTLjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc1NKr7o9A
   aGW4C6nSKYzWvEvgJdHgzQ/ehGwx1N/bLlbS01zNC5ceHUpd61BYIWNkHRKOuJVR
   K/ahN1CImp56PhcfpEAfxYVaiQXFDpgJws3eJbnaQkUv2NTu346zgkQkvheP2yh5
   pbPOT3jn7x1MLfQJxzQVaIz969JqfBdYZzLttCmc6cLWUe8L8OzFXb2XYb/E7ths
   58tDQ25+ZAAf+U7/pwZH4WE+9v+qBXfvbrkkF9Z7H0wLQPLLmV9kY9p0B8soss6N
   zXk23qTuN3auYnU6CuS9W8eAaoud42SDjyBt8Jd6VYb9fKWCcLOrfPfa9zvPcEhz
   GW/OEUrp/BnlAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhEex28QGiE1I9sr
   aPxbJQH0nuBuSZpoUjRjISRuf5yXZpcC1EUHuyANOYG2RbtKBYkbVtCOEsWeyr05
   FxiD2HCncL0SPglVUtW1b98AqzEeJfID8oopY1clWgjdTLGAnr8aRUjjpnyy1VX7
   3Z8xBxmnz1ttvFAgPr6uQV0VnG1DzKgmqTetNiIOp9b0sJzZD9wy3l472VqBZoZh
   waT0juUw9mgLEZT3srB2BIWzdVUbCIWQifTxlGU8y5qu4FGesYt29PWh3M251P1v
   5Pe7W56QtJkEi3v2vjSDe3S7WTkUdmrwsNtyCk/Xw+E14lDuzCG4pQtUYPtscILw
   hFcOPg==
   -----END CERTIFICATE REQUEST-----
              

8. Create a file, copy and paste the following text into the file, and then save it as a configuration file named myca.conf:

   [ca]
   default_ca = rootca
   
   [crl_ext]
   #issuerAltName=issuer:copy  #this would copy the issuer name to altname
   authorityKeyIdentifier=keyid:always
   
   [rootca]
   new_certs_dir = newcerts
   unique_subject = no
   certificate = root.cer  #Your organization's CA certificate
   database = certindex
   private_key = root.key  #Your organization's CA private key
   serial = serialfile
   default_days = 3660     #Should be at least two years from the date of cross-signing
   default_md = sha256     #sha256 is required.
   policy = myca_policy
   x509_extensions = myca_extensions
   
   [ myca_policy ]
   countryName = supplied
   stateOrProvinceName = supplied
   localityName = supplied
   organizationName = supplied
   organizationalUnitName = optional
   commonName = supplied
   emailAddress = optional
   
   [ myca_extensions ]     #These extensions are required.
   basicConstraints = CA:true
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always
   keyUsage = keyCertSign, cRLSign

9. Run the following command to cross-sign your organization's CA certificate using the CSR file:
   openssl ca -batch -config myca.conf -notext -days 7320 -in tmws_ca.csr -out tmws_ca.cer
   A cross-signed certificate named 0A.pem is generated under folder newcerts.
10. Go to HTTPS INSPECTION → Decryption Rules and upload the certificate in the Cross-signed certificate for on-premises part of the Certificate section of a decryption rule as necessary.