CSS certificate problems

Unanswered Question
Sep 28th, 2007

Hi, I installed and associated my cert on my CSS, but am having problems getting it working...

What I need is to be able to browse FROM my web server to a specific website which provided me with the cert 'myRSAcert' below. I have implemented the below but when I browse to the website it says I have no cert installed. I have not configured anything locally on the server, I have only configured on the CSS.

Here is what I have done on the CSS:

I have set up my 443 content rule:

content myContentRule443

vip address

port 443

add service ssl_test


I have added my service:

service ssl_test

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list ssl_list


I have added an ssl-server in my ssl_list:

ssl-server 50

ssl-server 50 vip

ssl-server 50 rsakey myRSAkey

ssl-server 50 rsacert myRSAcert

cipher rsa-with-rc4-128-md5 80


I have set up my 80 content rule:

content myContentRule80

vip address

port 80

add service server1


I have set up my internal web server:

service server1

keepalive type http

keepalive port 80

keepalive freq 6

protocol tcp

port 80

ip address


Am I correct in this general set up, or have I missed anything out?

Can anyone please help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
RODRGUTI Sat, 09/29/2007 - 15:15


Please add this command:

content myContentRule443

vip address

port 443

add service ssl_test

application ssl < -- add this


This command should make it work, if service server1 is alive.

If you do a http request on port 80, does it works?

- Rodrigo.

Gilles Dufour Sun, 09/30/2007 - 00:47

ok, ignore the other comment about application ssl. That's not required.

If I understand correctly the source of the traffic is

But from your config, this is also the destination.

Is this correct ?

If you want the browser to be able to open a connection to the vip, you need to configure client nat using a 'group'.

I can assist you with this if that's what you need.

But, if you want to do SSL initiation - the source sends cleartext request and the CSS encrypts everything before forwarding to a remote server, then your config is wrong.

Please, let us know what you need exactly.


cisco-pix Sun, 09/30/2007 - 03:18

I am looking to browse to a website ( from my local server ( My VIP is

In order for me to browse to this website I am required to have a cert, which I have requested and installed - myRSAcert.

Am I missing anything?


cisco-pix Mon, 10/01/2007 - 07:11

Hi, thanks for your help. I have looked through this and this is what I came up with:

1. Create a backend server, defining my Virtual backend ( and the Server I connect to externally (

ssl-proxy-list ssl_list1

backend-server 50

backend-server 50 type initiation

backend-server 50 ip address (INTERNAL - my virtual backend ssl server)

backend-server 50 server-ip (EXTERNAL - ip of the website I am looking to browse to)

backend-server 50 rsacert myRSAcert

backend-server 50 rsakey myRSAkey

2. Add an SSL service:

service myService1

type ssl-init

ip address

slot 2

keepalive type none

add ssl-proxy-list ssl_list1


3. Add a content rule:

owner ContentRules

content myContentRule1

add service myService1

vip address

protocol tcp

port 80


It still doesn't work, I am wondering am I missing anything else here?

Thanks so much for your help.

Gilles Dufour Tue, 10/02/2007 - 03:01

you also need to set the cipher:

backend-server 50 cipher rsa-with-rc4-128-sha

If that does not work after that,

get us a 'show summary' and 'show ssl statistics' before and after opening a connection.

Capture a trace on your server and a simultanous trace on the other side of the CSS.



This Discussion