Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
0
Helpful
3
Replies

ACE module - end-to-end SSL

deephazz02
Level 1
Level 1

‎04-11-2008 08:52 AM

Hello,

I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.

I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".

Is there any clear documentation on how to configure an end to end SSL ?

I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.

I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.

Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

Labels:
Preview file
3 KB
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-14-2008 02:18 AM

before configuring ssl, you need to properly important key and cert.

Can you try with FTP ?

"crypto import ftp 192.168.30.27 cisco key.pem key.pem"

Is your key a pem file ?

Documentation for key management here :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/ssl/guide/certkeys.html

Gilles.

0 Helpful

deephazz02
Level 1
Level 1
In response to Gilles Dufour

‎04-14-2008 06:10 AM

Hello,

I have a certificate and a key but once imported they failed the verify command.

Actually what I don't understand is what kind of configuration should a I apply for the ACE to behave as a "regular" ssl client.

I imported a cert then generated a key but the key and the cert did not pair (using the crypto verify command)

I am a bit confused with the pocess of generating the key, I thought the creation of the key was a part of the SSL handshake... How could I create a valid key prior to starting a ssl handshake?

Regards,

Thibault.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to deephazz02

‎04-14-2008 06:32 AM

just don't know where to start.

I feel like you do not have the right key/cert.

This would be the very first thing to verify.

Where did you get your key and cert ?

What certificate authority signed your certificate ?

The creation of the session key requires the use of an RSA key pair (private/public).

Every server must have a public and a private key associated with a certificate signed by a certificate authority.

If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.

Maybe you should start be reading on the subject from various article available on the WEB.

openssl is a great tool to generate keys and certficates.

I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.

Then import everything into ACE.

Once you have valid key/cert we can continue with the configuration.

Gilles

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents