Configuring SSL certificate on CSS 11500

Unanswered Question
Mar 5th, 2008

Trying to set up a transparent SSL proxy from our CSS 11503 to 3 Microsoft IIS6 servers. Don't need sticky sessions as we are using an IMDB on a secondary network on the web servers so hitting any one will preserve session. All traffic uses SSL, no HTTP allowed.

Did the following:

1) ssl genrsa RSAkey1 1024 "pwd"

2) ssl associate rsakey RSA1 RSAkey1

3) ssl gencsr RSAkey1

4) copied CSR into Verisign MPKI portal and selected Microsoft as the OS (LB 3 IIS6 servers)

5) Concatenate Verisign Intermediate with cert returned from step 4

6) copy ssl sftp ssl_record import chainedcsrt.cer PEM "pwd"

7) ssl associate cert Cert1 chainedcert.cer


%% Not a valid key or certificate file

Tried with just base cert received from step 4 and get same error.

However, if I export one of the certs and private key from one of the Windows 2003 servers import it. This works:

1) copy ssl sftp ssl_record import mycert.pfx PKCS12 "pwd" "pwd"

2) ssl associate cert Cert1 mycert.pfx

3) ssl associate rsakey RSA1 mycert.pfx

show ssl assoc indicates all is well.

How do I install a cert generated entirely from the CSS by submitting the csr to Verisign? Do I need to pick a different OS option? There is nothing listed for a CSS although there are options for other load balancers...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Tue, 03/11/2008 - 14:43

May be you enable the unwanted things make sure ie passphare etc.

eric.n.winn Wed, 03/12/2008 - 08:31

I should also add that prior to this I ran through the same 7 steps above but in step (4) I used a Microsoft Windows Server 2003 Certificate Server to submit the CSR generated from the CSS and in step (5) I concatenated the root CA from the Certificate Server with the certificate generated from the CSR and successfully imported, set up the ssl associations, ssl-proxy-list, and had a working VIP.

Doing this validated the documented Cisco process but this same process fails when using the Verisign Managed PKI portal and I have yet to discover why.

I also tried changing the order of concatenation but that gave the same error.

e.alcantara Tue, 03/18/2008 - 13:10


You could try to pick the Sonicwall OS Option on verisign. We were able to use the CSR (generated from the CSS) using this option.


This Discussion