• The following procedures assume that you’re using Internet Explorer as your browser. The steps might vary if you’re using a different browser.
• We strongly recommend that you read the entire article before starting the process.

Create the subordinate certificate authority

1. Open the Certificate Authority page, which is typically http://<server address>/certsrv.
2. Click Request a Certificate.
3. Click Advanced Certificate Request.
4. Click Create and submit a request to this CA.
5. Fill in the requested information for the Certificate:
   1. Make sure that you select Subordinate Certification Authority in the Certificate Template drop-down list.
   2. Fill in all identifying information in the first section, such as name, email, company, department, city, state, and country.
   3. Under the Key Options section, make sure that you set the key size to a minimum of 2048.
   4. Make sure the checkbox for Mark keys as exportable is selected.
   5. Click Submit to submit the request.
6. Click Install this Certificate, and install the certificate on your workstation.

Export the certificate

1. From Internet Explorer, go to Tools, Internet Options, Content tab, and click Certificates. The certificate you import appears under the Personal tab.
2. Select it, and click Export. The Certificate Export wizard starts.
3. Complete the Certificate Export wizard:
   1. Click Next at the first certificate screen.
   2. Click Yes, export the private key, and click Next.
   3. Select Include certificates in the certification path if possible and Enable strong protection. Click Next.
      
      IMPORTANT: For newer versions of Windows, Enable strong protection might not be available.
      Instead, select Include certificates in the certification path if possible and Enable Certificate Privacy.
       
   4. Enter a password, which is to be used when importing on the SWG, and click Next.
   5. Enter a file name, and specify where to save the file. It’s saved with a .pfx extension.

Export the PEM certificate and keyfile from the .pfx file

1. Upload the .pfx file that you created in the previous steps to a computer with OpenSSL installed.
    
   NOTE: This example assumes that you're using SWG, which has OpenSSL installed. 
    
2. Using WinSCP or a similar file transfer application, transfer the file to SWG, and note the directory to which you upload it.
3. Export the files using the following commands:
   
   NOTE: These steps assume your .pfx file name is WebGateway.pfx. Substitute your actual file name.
    
   1. To export the PEM certificate, use the following command: openssl pkcs12 -in WebGateway.pfx -nokeys -out WebGateway.crt
   2. When prompted, enter the same password that you specified earlier. You see the status message MAC verified OK, which indicates that the .crt file is generated.
   3. To export the keyfile, use the following command: openssl pkcs12 -in WebGateway.pfx -cacerts -nodes -out WebGateway.pem
   4. When prompted, enter the same password that you specified earlier. You see the status message MAC verified OK, which indicates that the .crt file is generated.
       
4. To clean up the files and get them in the correct format for SWG, run the following commands from the SWG command line:
    
   • To generate a clean certificate: openssl x509 -in WebGateway.crt -out SubCA-cert.pem
   • To generate a clean private key: openssl rsa -in WebGateway.pem -out SubCA-key.pem
   • Optional: To generate a clean chain file: cat RootCA-cert.pem \SubCA-cert.pem > chain.pem
   
   NOTE: You must import all certificates into the chain. Do not import any private keys.
    
5. Copy the newly generated files from the SWG file system to your workstation, using WinSCP or a similar file transfer application.

1. Log on to the SWG web interface. Navigate to Policy, Settings, SSL Client Context with CA.
2. Select the Default CA or the CA you want to import this certificate on, and then click Import on the right side of the screen:
   1. In the Certificate field, point SWG to the SubCA-cert.pem file that's generated in the last section.
   2. In the Private Key field, point SWG to the SubCA-key.pem file that's generated in the last section.
   3. Leave the Password field empty, unless you've protected the private key with a new password in the last section.
   4. In the Certificate Chain field, point SWG to the chain.pem file that's generated in the last section.
       
3. Click OK. Your new CA is imported on SWG.