09-10-2009 09:05 AM
Does anyone have procedures to create CSR on cisco ACE module?
Thanks
09-10-2009 01:27 PM
Hi Cricketbuff,
The following steps are needed to configure SSL termination on the Cisco ACE:
1. Generate or import the key.
The syntax to generate the key on the Cisco ACE follows:
crypto generate key 1024
Example: crypto generate key 1024 testkey
The syntax to import the key to the Cisco ACE follows:
crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase] [ipaddr] [username] [password] [remote_filename] [local_filename]
2. Then Generate the certificate sign request (CSR).
The CSR can either be generated externally or on the Cisco ACE.
The following are sample steps that show how to generate CSR on the Cisco ACE:
Configure CSR parameters on the Cisco ACE:
crypto csr-params test123
country US
state CA
organization-unit IT
common-name aceapp.ccc.com
serial-number 1000
email user@ccc.com
3. Generate CSR using key and CSR parameters:
crypto generate csr test123 testkey
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQLEwJJVDEXMBUGA1UEAxMOYWNlY
XBwLmNjYy5jb20xGzAZBgkqhkiG9w0BCQEWDHVzZXJAY2NjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY
EA1eaM318pX10/G8FYpi0cBRHdZA1Lxd9Q1vz2/nedQnNOkt0ZWQogH1Zgd5sxLHlPtn5afADhXmVreoY3c+s7TSG
vMLLXTIKxTbcURlw/0Y6CGpI/e3ASUBeLtMg7LE2C1EG6ZUL9HJyhUrZNXwOBXFAFL9DwrEx9CQJTmnKzj/8CAwEA
AaAAMA0GCSqGSIb3DQEBBAUAA4GBAJbKwzS/vuKhiu+PvEySUzCCHclA+x4KiON26txzKyog7YF7D0ZMKMcQjxrKW
ZRWtQgZPjv43Yzwqz4L8w8PyGsmBl7EYi7bOHQjcoKitfL4LJ9Qro8tf/tdn5DC1rGd3BP4XQ9SlxNBgHxzlzFS2f
WI/ynCmv5rbMtG+f/LHyKA
-----END CERTIFICATE REQUEST-----
3. Now Transfer the CSR request to Certificate Authority (CA) for signing
4. Load the CA signed certificate on the Cisco ACE
The syntax to import the certificate to the Cisco ACE follows:
crypto import [non-exportable] [ ftp | sftp | tftp | terminal] [passphrase:passphrase]
[ipaddr] [username] [password] [remote_filename] [local_filename]
5. If needed, chain the certificates using a chain group:
The chain consists of the certificates in the chain group, plus the configured certificate.
crypto chaingroup CCCSSLCA-group
cert CCCSSLCA.PEM
cert DSTROOTCA.PEM
cert ACEAPP-CERT.PEM
6. Configure the SSL parameter map, which is used to define parameters for SSL connections:
parameter-map type ssl PARAMMAP_SSL
cipher RSA_WITH_AES_128_CBC_SHA priority 2
7. Configure SSL proxy service:
ssl-proxy service PSERVICE_SERVER
key ACEKEY.PEM
cert ACEIDM-CERT.PEM
chaingroup CISCOSSLCA-group
ssl advanced-options PARAMMAP_SSL
Note: When you are creating a certificate signing request (CSR) at the ACE CLI using the csr-generate command, you cannot use the space character in the State value. Workaround: Use the state abbreviation.
Like here in the example California is said by abbrevation CA. So use similar types for states only one word withour space.
Kindly find below mentioned URL for your further information :
1.
2.
3.
4. Command line : CSR Parameters Configuration Mode Commands
Kindly rate if find useful.
Sachin Garg
09-11-2009 10:33 AM
I'll answer this in two ways: first manually and second via Application Networking Manager
(1) Manual method defined/described here: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/certkeys.html#wp1008264
this is the ACE Module SSL Configuration Guide, Managing Certificates and Keys, Generating a Certificate Signing Request
(2) ANM method defined/described here:
this is the ANM User Guide, Configuring SSL, Generating CSRs
Cheers,
David K.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: