Configuring SSL termination on ACE

Answered Question
Sep 19th, 2008


Can someone explain what is SSL proxy service used for.

Also, please give a one liner description of the below entries.

ssl-proxy service PSERVICE_SERVER



chaingroup CISCOSSLCA-group

ssl advanced-options PARAMMAP_SSL

Lastly, why is PEM extension used for certificate. Can other extensions be used as well like CER etc.


I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 2 days ago

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Syed Iftekhar Ahmed Fri, 09/19/2008 - 13:39

SSL proxy server is used to define the server certs, Intermediate certs (if any - using chaingroup) and RSA Key pairs that should be used to Offload SSL.

Following will be the line by line description

key ACEKEY.PEM <-- Use ACEKEY.PEM named RSA key to offload request

cert ACEIDM-CERT.PEM <-- USe this server certificate to offload SSL request

chaingroup CISCOSSLCA-group <-- Use this chain group to complete Cert chain. This cahin group is configured seperately and it carries all the intermediate certs needed to complete the certificate chain.

ssl advanced-options PARAMMAP_SSL <- This SSL type parameter map is also created seperately and it include the supported SSL version and SSL ciphers

If you don't use SSL type parameter type then by default ACE supports all ciphers & all SSL versions.

ACE supports PEM, DER & PKCS12 formats. You can use any extensions as long as the certs follow one of the above mentioned standards.


new_networker Sat, 09/20/2008 - 04:33


If we were to use an SSL certificate on ACE module for lets say six months and then we replace the ACE module. Can the same certificate be used in the newly installed ACE module or would a new SSL certificate be required.


Syed Iftekhar Ahmed Sat, 09/20/2008 - 05:07

No worries..

You can export the RSA keypair and Certificates from one ACE and can import it to another ACE.


new_networker Mon, 09/22/2008 - 05:27

In reference to your previous post, does SSL proxy service need to be a dedicated server required to hold the server certificates.

Syed Iftekhar Ahmed Mon, 09/22/2008 - 11:46

Its just a configuration object defined on ACE that holds the relevant SSL objects (cert,key,cert chain, allowed ciphers..). You can have multiple SSL proxy services that can be used by ACE to offload traffic for different applications.


new_networker Wed, 10/22/2008 - 03:30


Once I generate the key, how can I list it in the ACE file system.

I believe the key will be added from the local file system on ACE.

Also, it is ok that the key is in PEM format and the Certificate is in DER format.

Syed Iftekhar Ahmed Wed, 10/22/2008 - 10:26

show crypto files

will show you all keys & certs on ACE.

Using openssl you can easily convert pem-->DER and vice versa.

Syed Iftekhar Ahmed

new_networker Wed, 10/22/2008 - 10:38

Would you know whether MS IIS - Certificate Authority supports PEM format.

I can only see PKCS and DER.


This Discussion