Replaced SSL Certs do not take effect - ACE

cisco_lite · ‎01-24-2009

Hi,

I have replaced the SSL certs with the other ones on ACE module. Still the old Cert pops up while accessing the webpage via SSL proxy on ACE.

I removed ssl-proxy from policy-maps. Did 'no key', 'no cert' and then added key, cert to the ssl-proxy service and put back ssl-proxy onto the policy-map.

Is something else required to ensure the change of SSL certs.

Gilles Dufour · ‎01-25-2009

Remove the service-policy from all interfaces and re-configure it.

Gilles.

cisco_lite · ‎01-25-2009

Yes, it worked. But this option has an impact in Production. The live traffic would be affected I believe due to removing of the service policy. Any alternative ?

The 'Application Networking' forum on NetPro has slowed down quite a lot. Not many posts/exchanges are seen anymore...

Gilles Dufour · ‎01-26-2009

Do you run version A2(1.3) ?

I thought this issue to remove the policy-map was fixed in that release.

G.

cisco_lite · ‎01-26-2009

I am running the following version

Software

loader: Version 12.2[121]

system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008

Roble Mumin · ‎01-26-2009

Are the cert filenames for your old and and the new one identical? If yes, try to upload the file with different name and then change it in the config. I remember a thread where that was the issue. Usually you can easily switch the certs in you production environment.

old cert: foo-bar.cert

new cert: foo-bar09.cert

That might solve your problem. You also have to change the reference to the your cert and/or the key if that should have changed as well in the ssl-proxy part of the config.

Roble

Gilles Dufour · ‎01-27-2009

Ok, this confirms my suspicion.

This issue was fixed in A2(1.x)

You should upgrade if you do not want to have to remove the policy each time you update the certificate.