How to generate a CSR on Cisco ACE blade

Unanswered Question
Sep 10th, 2009

Does anyone have procedures to create CSR on cisco ACE module?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
sachinga.hcl Thu, 09/10/2009 - 13:27

Hi Cricketbuff,

The following steps are needed to configure SSL termination on the Cisco ACE:

1. Generate or import the key.

The syntax to generate the key on the Cisco ACE follows:

crypto generate key 1024

Example: crypto generate key 1024 testkey

The syntax to import the key to the Cisco ACE follows:

crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase] [ipaddr] [username] [password] [remote_filename] [local_filename]

2. Then Generate the certificate sign request (CSR).

The CSR can either be generated externally or on the Cisco ACE.

The following are sample steps that show how to generate CSR on the Cisco ACE:

Configure CSR parameters on the Cisco ACE:

crypto csr-params test123

country US

state CA

organization-unit IT

common-name aceapp.ccc.com

serial-number 1000

email user@ccc.com

3. Generate CSR using key and CSR parameters:

crypto generate csr test123 testkey

-----BEGIN CERTIFICATE REQUEST-----

MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQLEwJJVDEXMBUGA1UEAxMOYWNlY

XBwLmNjYy5jb20xGzAZBgkqhkiG9w0BCQEWDHVzZXJAY2NjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY

EA1eaM318pX10/G8FYpi0cBRHdZA1Lxd9Q1vz2/nedQnNOkt0ZWQogH1Zgd5sxLHlPtn5afADhXmVreoY3c+s7TSG

vMLLXTIKxTbcURlw/0Y6CGpI/e3ASUBeLtMg7LE2C1EG6ZUL9HJyhUrZNXwOBXFAFL9DwrEx9CQJTmnKzj/8CAwEA

AaAAMA0GCSqGSIb3DQEBBAUAA4GBAJbKwzS/vuKhiu+PvEySUzCCHclA+x4KiON26txzKyog7YF7D0ZMKMcQjxrKW

ZRWtQgZPjv43Yzwqz4L8w8PyGsmBl7EYi7bOHQjcoKitfL4LJ9Qro8tf/tdn5DC1rGd3BP4XQ9SlxNBgHxzlzFS2f

WI/ynCmv5rbMtG+f/LHyKA

-----END CERTIFICATE REQUEST-----

3. Now Transfer the CSR request to Certificate Authority (CA) for signing

4. Load the CA signed certificate on the Cisco ACE

The syntax to import the certificate to the Cisco ACE follows:

crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase]

[ipaddr] [username] [password] [remote_filename] [local_filename]

5. If needed, chain the certificates using a chain group:

The chain consists of the certificates in the chain group, plus the configured certificate.

crypto chaingroup CCCSSLCA-group

cert CCCSSLCA.PEM

cert DSTROOTCA.PEM

cert ACEAPP-CERT.PEM

6. Configure the SSL parameter map, which is used to define parameters for SSL connections:

parameter-map type ssl PARAMMAP_SSL

cipher RSA_WITH_AES_128_CBC_SHA priority 2

7. Configure SSL proxy service:

ssl-proxy service PSERVICE_SERVER

key ACEKEY.PEM

cert ACEIDM-CERT.PEM

chaingroup CISCOSSLCA-group

ssl advanced-options PARAMMAP_SSL

Note: When you are creating a certificate signing request (CSR) at the ACE CLI using the csr-generate command, you cannot use the space character in the State value. Workaround: Use the state abbreviation.

Like here in the example California is said by abbrevation CA. So use similar types for states only one word withour space.

Kindly find below mentioned URL for your further information :

1.

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

2.

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_One_Arm_Mode_Configuration_Example

3.

http://cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/certkeys.html

4. Command line : CSR Parameters Configuration Mode Commands

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/csrparam.html

Kindly rate if find useful.

Sachin Garg

dkirsch Fri, 09/11/2009 - 10:33

I'll answer this in two ways: first manually and second via Application Networking Manager

(1) Manual method defined/described here: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/certkeys.html#wp1008264

this is the ACE Module SSL Configuration Guide, Managing Certificates and Keys, Generating a Certificate Signing Request

(2) ANM method defined/described here:

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/application_networking_manager/2.2/user/guide/ug_ssl.html#wp1054987

this is the ANM User Guide, Configuring SSL, Generating CSRs

Cheers,

David K.

Actions

This Discussion