ACE: installing SSL Certs and Key pairs - key/cert not valid

Unanswered Question
Mar 16th, 2009

When I try to configure ssl-proxy server i get error message as below.


Advice will be greatly appriciated.



GIN/Admin(config-pmap-c)# ssl-proxy server <name>

Error: ssl-proxy doesn't have a valid key/cert, cannot use it.


gin_cert.PEM:

Subject: <.............htt>

<ps://www.............Class 3 Secure Server CA>

<Issuer: ...............OU=Class 3 Public Primary Certification Authority>

Not Before: Jan 19 00:00:00 2005 GMT

Not After: Jan 18 23:59:59 2015 GMT

CA Cert: TRUE



gin_sa.PEM:

Subject: <..............imap...>

Issuer: <.......................http>

<s://.............................. Class 3 Secure Server CA>

Not Before: Mar 5 00:00:00 2009 GMT

Not After: Mar 5 23:59:59 2011 GMT

CA Cert: FALSE


The above two certs are chained, and sh command for key files displays some text, apparently indicating key file is ok.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
JamesLuther Mon, 03/16/2009 - 08:06

Hi,


The SSL should be defined with the following syntax


ssl-proxy service <_NAME_>

key MY_KEY.PEM

cert MY_CERT.crt

ssl advanced-options SSL_PARAMS

exit



where MY_CERT's csr was generated from MY_KEY




Regards

s.srivas Mon, 03/16/2009 - 09:04

Luther,


I'm trying to configure chaingroup as I have an intermediate certificate to add to the configs.


I noticed, even with terminal copy/paste method, i needed the original passphrase for key.PEM file. should i include the passphrase with root and intermediate .PEM files?


and is there a special way to apply chaingroup. as I write i noticed that I should not include the root file within chain group. only the intermediate file in the chain group.


Further, we did not use the ACE to generate CSR. Should I configure the CSR values to ACE too, or the key and root and intermediate files would have that information already.


for SSL termination.

any pointers to a sample configs with chaingroup and SSL termination would help.


Kind regards

Sinnathurai

Gilles Dufour Tue, 03/17/2009 - 03:17

Go from simple config to more complex.

You don't need the chaingroup initially.

So, just configure the key and your cert under the ssl-proxy.

See if that works.

Then, configure a chaingroup and add it to your existing config.


Gilles.



Massimiliano Ca... Mon, 07/11/2011 - 08:05

Hello Gilles,


once I verified the key/cert pair on the ssl-proxy service works properly, do you think the error is in the Root Certificate of the chaingroup?


Thank you

Max

Ahmad Basel Jaber Tue, 07/12/2011 - 03:47

Hi Max,


How you imported your certificate? Is it PKCS12 format or you imported each file separately? Have you verified the cert and the key files?


The group chain is needed when you have intermediate certificate so the ACE will send the client both the

intermediatecert and the root cert, and you need to apply it under the ssl-proxy service, but this should not cause the error message you are getting. If you have intermediate cert and you did not apply the chain group under the ssl-proxy service your clients will still be able to connect but they will be getting certificate error, and if they accept the cert they will connect. So my advice is not to jump on the group chain issue and make sure you have the correct certs.


Best regards,

Ahmad

Massimiliano Ca... Tue, 07/12/2011 - 07:34

Hi Ahmad, thank you for your help, first.


I imported both CA root certificate (let's call it rootcert) and my certificate (mycert) via terminal separately, because I was unable to merge them in a single file (as I always done with CSS). So I created a chaingroup (mychain):


crypto chaingroup mychain

  cert mycert

  cert rootcert


mycert and its key (mykey) match


If I use mycert and mykey in the ssl-proxy service, I get the warning message on the browser because the client cannot find the CA certificate.


If I configure the ssl-proxy service this way:


ssl-proxy service test

  key mykey

  chaingroup mychain


I get the error above after the "chaingroup" statement.


The rootcert I imported is the one I always used with my old CSS, without problems.


Any help will be appreciated. If you can suggest how to merge CA root certificate and my certificate in a single file I'll be happy to leave the chaingroup method. I always put the root certificate before my certificate


Regards,

Max.

Ahmad Basel Jaber Tue, 07/12/2011 - 07:52

Hi Max,


Remove your "mycert" from the chaingroup configuration and keep only the root certificate, then add it under the ssl-proxy service.


Ex:


crypto chaingroup mychain

   cert rootcert


ssl-proxy service test

  key mykey

  cert mycert

  no chaingroup mychain

  chaingroup mychain


Then test the functionality.


Best regards,

Ahmad

Massimiliano Ca... Tue, 07/12/2011 - 08:00

Hi Ahmad,


Thank you very much, so I got where I was wrong. Now it accepts my statements.


Once I'll be able to test the service I'll post my feedback here.


Thank you again

Max

Massimiliano Ca... Thu, 07/14/2011 - 03:43

Hi Ahmad,


I can confirm the chaingroup you suggested works great!


Thank you so much for your help.

Max

Actions

This Discussion