Importing SSL certificate to CSS11501

Unanswered Question
Jan 20th, 2008
User Badges:

Hi,


I am setting up a CSS11501 where I want to implement SSL offloading in a one-armed-bandit configuration.


My question is how to import an existing Verisign certificate to the CSS11501 that is currently installed on a Win2K web server. Do I have to revoke the existing certificate and apply for a new one by generating the CSR on the CSS or is there a way to import the existing certificate to the CSS and how can this be done?


Thanks,


Cuneyt

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Vargas Mon, 01/21/2008 - 05:01
User Badges:
  • Cisco Employee,

Hi Cuneyt,


Sure you can import the file. If it is currently installed on a Win2K server is probably a PKCS12 format so you need the passphrase used to generate the file.


Here is the procedure:


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/certkeys.html#wp999051


Please let me know if you have any questions or problems.


cardahanli Mon, 01/21/2008 - 05:24
User Badges:

Hi,


Thanks for the swift reply. I have one other question? Should I rename the extension of the certificate to PKCS12 format?


Kind Regards,


Cuneyt

Diego Vargas Mon, 01/21/2008 - 05:40
User Badges:
  • Cisco Employee,

Hi Cuneyt,


No that is not necessary. The file will be PKCS12 format regardless of the extension.


Common extensions for PKCS12 files is .p12 or .pfx, then again that will make no difference on the file format, so all you need to make sure is to tell the CSS this is PKCS12 when uploading the file.


Actually make sure it is, I am assuming it is because that is the Windows common format for an SSL file, anyway it might be a PEM, so better be 100% before installing the file on the CSS.


Hope it helps!!

cardahanli Mon, 01/21/2008 - 12:56
User Badges:

Hi,


Thanks for the info. So far it is clear how to import the certificate. However, I have another question:


After importing and associating the certificate do I also need to associate a key pair? If yes, what key is this?


I also saw in some example configurations the following:


ssl-proxy-list test

ssl-server 111

ssl-server 111 vip address 192.168.5.5

ssl-server 111 port 443

ssl-server 111 rsacert rsacert

ssl-server 111 rsakey rsakey

ssl-server 111 cipher rsa-with-rc4-128-md5 192.168.5.5 80

active


the rsacert is clear to me, however the rsakey and the cipher are not clear. Is it possible for you to explain both and whether I need these in case of ssl termination with an imported certificate from a win2K server?


Thanks a lot!


Cuneyt

Diego Vargas Mon, 01/21/2008 - 13:06
User Badges:
  • Cisco Employee,

Hi,


Well actually this is the whole process. When you need to use SSL for your site you create a Keypair which contains a Public and a Private Key.


You save your Private Key and use the public key to create a CSR (Cetificate Signing request) which you send to your CA, then the come up with the certificate.


On your case that process was followed before the certificate was installed on your Win2K server.


If your certificate is a PKCS12 format, then the keypair and the cert are on the same file. In the case of PEM there would be a file for the keypair and another for the cert.


In your case (then again if your file is PKCS12) then you just upload the file to the CSS and the associate the rsakey and the cert, both associations are done to the same file but one will be the rsakey and the other the rsacert, the name you use is the same you need to include on the ssl-server configuration.


With regards to the cipher command, well it defines what cipher suite would the CSS support and that needs to match with the one of ciphers supported by client's browser or application (cipher rsa-with-rc4-128-md5 is supported by most clients)


The IP and port you configure on the cipher command defines what the SSL module will destined traffic after decrypting it. For instance the cipher on your example means that the CSS will take traffic in port 443 going to 192.168.5.5 and will send it to same VIP but destined to port 80 which will be matched by a clear text content rule configured on port 80 that contains the real servers to send the traffic to.


Please let me know if it makes any sense.

cardahanli Mon, 01/21/2008 - 13:17
User Badges:

Hi,


Thanks for the reply. It is very clear to me now. Just for my understanding: Where are the dsakey and dhparams used for? (This will be my last question for now:)


Thanks a lot!


Cuneyt

cardahanli Thu, 01/24/2008 - 00:19
User Badges:

Hi,


I have another question.


The client where I want to do this implementation has one webserver that listens both on http and https at this moment. In the new construction, the ssl certificate in the server will be imported to the CSS and the webserver will only listen to http. How can i make sure that when a client wants to enter the secure part of the website, it will get https instead of http? Do I need to do a redirect or url-rewrite?


Thanks a lot.


Cuneyt

Actions

This Discussion