03-05-2008 02:54 PM - edited 03-05-2019 09:34 PM
Trying to set up a transparent SSL proxy from our CSS 11503 to 3 Microsoft IIS6 servers. Don't need sticky sessions as we are using an IMDB on a secondary network on the web servers so hitting any one will preserve session. All traffic uses SSL, no HTTP allowed.
Did the following:
1) ssl genrsa RSAkey1 1024 "pwd"
2) ssl associate rsakey RSA1 RSAkey1
3) ssl gencsr RSAkey1
4) copied CSR into Verisign MPKI portal and selected Microsoft as the OS (LB 3 IIS6 servers)
5) Concatenate Verisign Intermediate with cert returned from step 4
6) copy ssl sftp ssl_record import chainedcsrt.cer PEM "pwd"
7) ssl associate cert Cert1 chainedcert.cer
Response:
%% Not a valid key or certificate file
Tried with just base cert received from step 4 and get same error.
However, if I export one of the certs and private key from one of the Windows 2003 servers import it. This works:
1) copy ssl sftp ssl_record import mycert.pfx PKCS12 "pwd" "pwd"
2) ssl associate cert Cert1 mycert.pfx
3) ssl associate rsakey RSA1 mycert.pfx
show ssl assoc indicates all is well.
How do I install a cert generated entirely from the CSS by submitting the csr to Verisign? Do I need to pick a different OS option? There is nothing listed for a CSS although there are options for other load balancers...
Thanks,
-Eric
03-11-2008 02:43 PM
May be you enable the unwanted things make sure ie passphare etc.
03-12-2008 08:31 AM
I should also add that prior to this I ran through the same 7 steps above but in step (4) I used a Microsoft Windows Server 2003 Certificate Server to submit the CSR generated from the CSS and in step (5) I concatenated the root CA from the Certificate Server with the certificate generated from the CSR and successfully imported, set up the ssl associations, ssl-proxy-list, and had a working VIP.
Doing this validated the documented Cisco process but this same process fails when using the Verisign Managed PKI portal and I have yet to discover why.
I also tried changing the order of concatenation but that gave the same error.
03-18-2008 01:10 PM
eric,
You could try to pick the Sonicwall OS Option on verisign. We were able to use the CSR (generated from the CSS) using this option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide