CSS cannot activite service, please help

Unanswered Question
Jun 11th, 2009
User Badges:

CSS11500# show service ssl_serv1

Name: ssl_serv1 Index: 26

Type: Ssl-Accel State: Susp/Init

Rule ( ANY ANY )

Session Redundancy: Disabled

SSL-Accel slot: 4

Session Cache Size: 10000

Redirect Domain:

Redirect String: (null)

Keepalive: (NONE 5 3 5 )

Keepalive Encryption: Disabled

Last Clearing of Stats Counters: 12/15/2006 00:02:54

Mtu: 1500 State Transitions: 0

Total Local Connections: 0 Total Backup Connections: 0

Current Local Connections: 0 Current Backup Connections: 0

Total Connections: 0 Max Connections: 65534

Total Reused Conns: 0

Weight: 1 Load: 255

Weight Reporting: None

SSL Proxy Lists:

1: ssl_list1-Suspended


CSS506INT4(config-ssl-proxy-list[ssl_list1])# active

Error in ssl-server 1: RSA Cert/Key Verify

CSS506INT4(config-service[ssl_serv1])# active

%% No active ssl-lists on service, service not activated.


- The ssl-lists can't activite due to Error in ssl-server 1: RSA Cert/Key Verify, and the configuration is:

ssl-proxy-list ssl_list1

ssl-server 1

ssl-server 1 vip address 192.168.x.x

ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.x.x 80

ssl-server 1 rsakey xxxxxx

ssl-server 1 rsacert xxxxxx

Please help asap.. thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kristopher Martinez Fri, 06/12/2009 - 08:43
User Badges:
  • Cisco Employee,

It appears you have a key/cert mismatch. Have you issued the following command on the CSS:

(config)# ssl verify myrsacert1 myrsakey1

You should get "Certificate and key match"

If not, you will need to import a matching key and certificate.



hfma_hk09 Sun, 06/14/2009 - 17:40
User Badges:

Thanks, Kris. Your assumption is correct, the following result is found:

%% Certificate and key do not match

Since I am not familer with CSS, would you please let me know how to import/generate the key and cert?

Thank you very much..


This Discussion