Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
3
Replies

Configuring SSL certificate on CSS 11500

eric.n.winn
Level 1
Level 1

‎03-05-2008 02:54 PM - edited ‎03-05-2019 09:34 PM

Trying to set up a transparent SSL proxy from our CSS 11503 to 3 Microsoft IIS6 servers. Don't need sticky sessions as we are using an IMDB on a secondary network on the web servers so hitting any one will preserve session. All traffic uses SSL, no HTTP allowed.

Did the following:

1) ssl genrsa RSAkey1 1024 "pwd"

2) ssl associate rsakey RSA1 RSAkey1

3) ssl gencsr RSAkey1

4) copied CSR into Verisign MPKI portal and selected Microsoft as the OS (LB 3 IIS6 servers)

5) Concatenate Verisign Intermediate with cert returned from step 4

6) copy ssl sftp ssl_record import chainedcsrt.cer PEM "pwd"

7) ssl associate cert Cert1 chainedcert.cer

Response:

%% Not a valid key or certificate file

Tried with just base cert received from step 4 and get same error.

However, if I export one of the certs and private key from one of the Windows 2003 servers import it. This works:

1) copy ssl sftp ssl_record import mycert.pfx PKCS12 "pwd" "pwd"

2) ssl associate cert Cert1 mycert.pfx

3) ssl associate rsakey RSA1 mycert.pfx

show ssl assoc indicates all is well.

How do I install a cert generated entirely from the CSS by submitting the csr to Verisign? Do I need to pick a different OS option? There is nothing listed for a CSS although there are options for other load balancers...

Thanks,

-Eric

Labels:
0 Helpful
3 Replies 3

owillins
Level 6
Level 6

‎03-11-2008 02:43 PM

May be you enable the unwanted things make sure ie passphare etc.

0 Helpful

eric.n.winn
Level 1
Level 1

‎03-12-2008 08:31 AM

I should also add that prior to this I ran through the same 7 steps above but in step (4) I used a Microsoft Windows Server 2003 Certificate Server to submit the CSR generated from the CSS and in step (5) I concatenated the root CA from the Certificate Server with the certificate generated from the CSR and successfully imported, set up the ssl associations, ssl-proxy-list, and had a working VIP.

Doing this validated the documented Cisco process but this same process fails when using the Verisign Managed PKI portal and I have yet to discover why.

I also tried changing the order of concatenation but that gave the same error.

0 Helpful

e.alcantara
Level 1
Level 1

‎03-18-2008 01:10 PM

eric,

You could try to pick the Sonicwall OS Option on verisign. We were able to use the CSR (generated from the CSS) using this option.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card