ACE SSL chaingroup configuration

Answered Question
Oct 5th, 2009

Hi all

I am doing a SSL server termination on ACE module on 6500switch.I had a SSL certificate right now(Got after the pasting the CSR in verisign site) from VeriSign. I Need to create a chaingroup for connection with all client browsers. Cisco site says i need to have an intermediate certificate also for that .They show a link to "http://www.verisign.com/support/install/intermediate.html " get the intermediate certificate.

My question is, Is this intermediate certificate common for all global certificates?Or do i need to get one that is associated to the main certificate i got from verisign.Any help in this regard will be greatly appreciated.

Kind regards

Ullas

I have this problem too.
0 votes
Correct Answer by yuya25 about 7 years 3 months ago

Hi Ullas:

Usually VeriSign send you a link to get the intermediate certificated on the same e-mail where they send you your certificate. I think is only one intermediate certificated but depend of the kind of certificate you are receiving from them. The link that I use is the following.

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html

Regards,

Judith Gonzalez :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sachinga.hcl Mon, 10/05/2009 - 16:28

HI Ullas upendran ,

A chain groups specifies the certificate chains that the ACE sends to its peer during the handshake. A certificate chain is a hierarchal list of certificates that includes the subject's certificate, the root CA certificate, and any intermediate CA certificates. Using the information provided in a certificate chain, the certificate verifier can search for a trusted authority in the certificate hierarchal list back to the root CA. The verifier may find what it considers a trusted authority before reaching the root CA certificate, in which case, the verifier stops searching.

But as per my understanding

The ACE supports the following certificate chain group capabilities:

•A chain group can contain up to eight certificate chains.

•Each context on the ACE can contain up to eight chain groups means 8*8 Certificate chains.

• By default, your ACE provides an Admin context and five user contexts, which allows you to use multiple contexts if you choose to configure them. To increase the number of user contexts up to a maximum of 20, you must obtain a separate license from Cisco Systems.

So total number of chaingroups that can be used is 8*20=160

And the number of virtual servers is 1024.

SSL proxy termination service allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients.

So

1. SSL Proxy Service =SSL Parameter map(ssl version, cipher suites, close-protocol, session ID reuse timeout, query delay), Client authentication,key pair file, CRL retrival, Certificate file, Chain Group)

2. Class maps=(layer3 and layer 4 match criterial applied to inbound traffic)=contains= Virtual IP address,source address, destination address, access list, port , any

Policy Maps = contains (1+2) i.e. (SSL proxy service + Class maps)

So you define Virtual server IP in class maps and Chain groups in SSL proxy service.

They will work when you combine these both inside a policy map (for layer 3/ layer 4)

Policy maps ---> Applies globall to all VLAN's in a context (a context can contain 8 chain groups )

You can specify the certificate chian that the ACE sends to its peer ACE during the SSL handshakeby using chaingroup command.

So this chain group is assigned to the whole context and inside the context any number of virtual server they use the same chain group .

You can configure chain groups for the context in a ace using SSL proxy service only.

All the virtual server inside the context they use the one chain group service .

Select Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears.

SSL termination refers to configuring an ACE context for a front-end application in which the ACE operates as an SSL server that communicates with a client. When you create a Layer 3 and Layer 4 policy map to define the flow between an ACE and a client, the ACE operates as a virtual SSL server by adding security services between a web browser (the client) and the HTTP connection (the server). All inbound SSL flows from a client terminate at the ACE.

In the ANM, a viable virtual server has the following attributes:

• A default Layer 7 action

• A Layer 3/Layer 4 class map

• The virtual server multi-match policy map is associated with an interface or is global.

The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map.

After the connection is terminated, the ACE decrypts the ciphertext from the client and sends the data as clear text to an HTTP server.

You need not to assign a different chaingroup to every virtual server.

Sachin Garg

ullasupendran Sat, 10/10/2009 - 11:50

Hi sachin

Thanks for the reply.My question was very specific to the intermediate certificate and whether its associated to the global certificate? Cisco site was showing a generic link to the intermediate certificate which is given in mt above post. Is that the one to install in the chaingroup along with the global cert? or do i need to get one specifically from VeriSign for the current cert i have?

Kind regards

Ullas

Correct Answer
yuya25 Wed, 10/14/2009 - 06:48

Hi Ullas:

Usually VeriSign send you a link to get the intermediate certificated on the same e-mail where they send you your certificate. I think is only one intermediate certificated but depend of the kind of certificate you are receiving from them. The link that I use is the following.

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html

Regards,

Judith Gonzalez :-)

Actions

This Discussion