cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2829
Views
6
Helpful
6
Replies

Can ACE produce a self signed certificate?

g.eleftheriou
Level 1
Level 1

Hi people,

I have used ace to create a csr and then send it to verisign and install the signed certificate on ACE so that it acts as ssl-proxy termination.

But now I want to know if it's possible for ACE to create a self signed certificate. (instead of sending it to verisign to sign it).

Can this be done?

thanks,

george

6 Replies 6

sachinga.hcl
Level 4
Level 4

HI George,

As far as I know, there is no option to signed your certificates from ACE.  You'll have to create keys and certificates on a separate device using openssl and then import them into the ACE module.

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example#Using_OpenSSL_to_Generate_a_Self_Signed_Certificate

We've just upgrade our ACE's to A2(3.2) and it looks like this version has a self sigbed cert. Is this legit, similar to the one available on BigIP?

Thanks..

The purpose of a certificate is not just to encrypt data.

It is also to authenticate the server - guarantee that you are indeed communicating with the correct server.

A self-signed certificate will achieve part 1 (encryption) bot not guarantee part 2.

Only Certificate Authorities like Verisign can get you a certificate to achieve part2.

Therefore a self-signed certificate is never legitimate !!! Even the BipIP is not a legitimate certificate.

But you can achieve encryption using it.

Gilles.

axfalk,

Could you please post the syntax on how to self sign a cert in ACE?

Regards,

John...

you can't sign certificate from ACE.

All you get a sample key/cert.

Do a 'show crypto files' to find them

cisco-sample-cert                        1082  PEM     Yes        CERT
cisco-sample-key                         887   PEM     Yes         KEY

Gilles.

I must have mis-understood the previous post. If all there is, is a sample key/cert, then this does me no good. It would be more convenient to sign the cert/key within ACE then have to go to a Linux server for this action.

Regards,

John...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: