cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3586
Views
10
Helpful
9
Replies

ACE: installing SSL Certs and Key pairs - key/cert not valid

s.srivas
Level 1
Level 1

When I try to configure ssl-proxy server i get error message as below.

Advice will be greatly appriciated.

GIN/Admin(config-pmap-c)# ssl-proxy server <name>

Error: ssl-proxy doesn't have a valid key/cert, cannot use it.

gin_cert.PEM:

Subject: <.............htt>

<ps://www.............Class 3 Secure Server CA>

<Issuer: ...............OU=Class 3 Public Primary Certification Authority>

Not Before: Jan 19 00:00:00 2005 GMT

Not After: Jan 18 23:59:59 2015 GMT

CA Cert: TRUE

gin_sa.PEM:

Subject: <..............imap...>

Issuer: <.......................http>

<s://.............................. Class 3 Secure Server CA>

Not Before: Mar 5 00:00:00 2009 GMT

Not After: Mar 5 23:59:59 2011 GMT

CA Cert: FALSE

The above two certs are chained, and sh command for key files displays some text, apparently indicating key file is ok.

9 Replies 9

JamesLuther
Level 3
Level 3

Hi,

The SSL should be defined with the following syntax

ssl-proxy service <_NAME_>

key MY_KEY.PEM

cert MY_CERT.crt

ssl advanced-options SSL_PARAMS

exit

where MY_CERT's csr was generated from MY_KEY

Regards

Luther,

I'm trying to configure chaingroup as I have an intermediate certificate to add to the configs.

I noticed, even with terminal copy/paste method, i needed the original passphrase for key.PEM file. should i include the passphrase with root and intermediate .PEM files?

and is there a special way to apply chaingroup. as I write i noticed that I should not include the root file within chain group. only the intermediate file in the chain group.

Further, we did not use the ACE to generate CSR. Should I configure the CSR values to ACE too, or the key and root and intermediate files would have that information already.

for SSL termination.

any pointers to a sample configs with chaingroup and SSL termination would help.

Kind regards

Sinnathurai

Go from simple config to more complex.

You don't need the chaingroup initially.

So, just configure the key and your cert under the ssl-proxy.

See if that works.

Then, configure a chaingroup and add it to your existing config.

Gilles.

Hello Gilles,

once I verified the key/cert pair on the ssl-proxy service works properly, do you think the error is in the Root Certificate of the chaingroup?

Thank you

Max

Hi Max,

How you imported your certificate? Is it PKCS12 format or you imported each file separately? Have you verified the cert and the key files?

The group chain is needed when you have intermediate certificate so the ACE will send the client both the

intermediatecert and the root cert, and you need to apply it under the ssl-proxy service, but this should not cause the error message you are getting. If you have intermediate cert and you did not apply the chain group under the ssl-proxy service your clients will still be able to connect but they will be getting certificate error, and if they accept the cert they will connect. So my advice is not to jump on the group chain issue and make sure you have the correct certs.

Best regards,

Ahmad

Hi Ahmad, thank you for your help, first.

I imported both CA root certificate (let's call it rootcert) and my certificate (mycert) via terminal separately, because I was unable to merge them in a single file (as I always done with CSS). So I created a chaingroup (mychain):

crypto chaingroup mychain

  cert mycert

  cert rootcert

mycert and its key (mykey) match

If I use mycert and mykey in the ssl-proxy service, I get the warning message on the browser because the client cannot find the CA certificate.

If I configure the ssl-proxy service this way:

ssl-proxy service test

  key mykey

  chaingroup mychain

I get the error above after the "chaingroup" statement.

The rootcert I imported is the one I always used with my old CSS, without problems.

Any help will be appreciated. If you can suggest how to merge CA root certificate and my certificate in a single file I'll be happy to leave the chaingroup method. I always put the root certificate before my certificate

Regards,

Max.

Hi Max,

Remove your "mycert" from the chaingroup configuration and keep only the root certificate, then add it under the ssl-proxy service.

Ex:

crypto chaingroup mychain

   cert rootcert

ssl-proxy service test

  key mykey

  cert mycert

  no chaingroup mychain

  chaingroup mychain

Then test the functionality.

Best regards,

Ahmad

Hi Ahmad,

Thank you very much, so I got where I was wrong. Now it accepts my statements.

Once I'll be able to test the service I'll post my feedback here.

Thank you again

Max

Hi Ahmad,

I can confirm the chaingroup you suggested works great!

Thank you so much for your help.

Max

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: