Transfer CSS 11503 SSL Certificate to ACE 4710

Unanswered Question
Jul 20th, 2010
User Badges:

We're converting a CSS 11503 config to the ACE 4710. Is it possible to transfer the existing SSL certificate from the 11503 to the ACE? Or, do we need to generate a new key pair and CSR on the ACE? I did some searching and the closest I came to an answer was "If you have preexisting certificates and matching key pairs, you can import them to the desired context on the ACE" but this doesn't tell me if the preexisting certificates and matching key pairs have to be from another ACE or if they can also be from a CSS. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
UHansen1976 Wed, 07/21/2010 - 00:28
User Badges:
  • Bronze, 100 points or more

Hi,


I've migrated numerous ssl-certificates from css to ace without any problems. As long as the certs are still valid, no need to generate new csr.


A few things you need to be aware of is, that ssl certificates are managed differently on the ace. So if you're transferring certificates in #pkcs12 format, you need to extract the individual components of the .p12-file and upload them seperately to the ace in .pem Base64 encoded DER format. OpenSSL will do the trick.


hth


/Ulrich

Sean Merrow Wed, 07/21/2010 - 19:03
User Badges:
  • Silver, 250 points or more

Hi Ulrich,


Actually, the ACE does support PKCS12.  It also supports PEM and DER.  Below is an example of how to use the PKCS12 file:


First Import the p12 file


switch/Admin# crypto import ftp passphrase password123 10.86.156.174 anonymous Server.p12 vip-cert.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.


Notice that it shows up as File Type PKCS12 and it is listed as both Key and Cert


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
server.cer                               1391  PEM     Yes        CERT
server.key                               1675  PEM     Yes         KEY
vip-cert.p12                             2884  PKCS12  Yes        BOTH


Specifiy the same file for both the key and cert in your config


ssl-proxy service VIP
  key vip-cert.p12
  cert vip-cert.p12


Hope this helps,

Sean

UHansen1976 Thu, 07/22/2010 - 03:06
User Badges:
  • Bronze, 100 points or more

Hi Sean,


That's good news. Has the ACE always supported PCKS12-certs? When I initially deployed ACE, it didn't and I was told, that the only way to migrate the certs from the css-platform was to convert them to .pem files. When I tried to import .p12 files, the column simply said UNKNOWN (or something like that). Back then I was running A2(1.4a), today I'm running A2(2.4).


/Ulrich

Sean Merrow Thu, 07/22/2010 - 05:43
User Badges:
  • Silver, 250 points or more

Hi Ulrich,


Yes, the ACE has supported PKCS12 from the very beginning.  You can see the types from the old A1 documentation here.  The confusion on behalf of the person that told you that the cert must be broken up into separate PEM files may be the error messsage you receive if you try to import a PKCS12 file and forget to specify the passphrase.  It will allow you to import it without the passphrase specified but will complain that it is an invalid type.


Sean

Actions

This Discussion