07-20-2010 02:06 PM
We're converting a CSS 11503 config to the ACE 4710. Is it possible to transfer the existing SSL certificate from the 11503 to the ACE? Or, do we need to generate a new key pair and CSR on the ACE? I did some searching and the closest I came to an answer was "If you have preexisting certificates and matching key pairs, you can import them to the desired context on the ACE" but this doesn't tell me if the preexisting certificates and matching key pairs have to be from another ACE or if they can also be from a CSS. Thank you.
07-21-2010 12:28 AM
Hi,
I've migrated numerous ssl-certificates from css to ace without any problems. As long as the certs are still valid, no need to generate new csr.
A few things you need to be aware of is, that ssl certificates are managed differently on the ace. So if you're transferring certificates in #pkcs12 format, you need to extract the individual components of the .p12-file and upload them seperately to the ace in .pem Base64 encoded DER format. OpenSSL will do the trick.
hth
/Ulrich
07-21-2010 07:03 PM
Hi Ulrich,
Actually, the ACE does support PKCS12. It also supports PEM and DER. Below is an example of how to use the PKCS12 file:
First Import the p12 file
switch/Admin# crypto import ftp passphrase password123 10.86.156.174 anonymous Server.p12 vip-cert.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.
Notice that it shows up as File Type PKCS12 and it is listed as both Key and Cert
switch/Admin# show crypto file
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
server.cer 1391 PEM Yes CERT
server.key 1675 PEM Yes KEY
vip-cert.p12 2884 PKCS12 Yes BOTH
Specifiy the same file for both the key and cert in your config
ssl-proxy service VIP
key vip-cert.p12
cert vip-cert.p12
Hope this helps,
Sean
07-22-2010 03:06 AM
Hi Sean,
That's good news. Has the ACE always supported PCKS12-certs? When I initially deployed ACE, it didn't and I was told, that the only way to migrate the certs from the css-platform was to convert them to .pem files. When I tried to import .p12 files, the column simply said UNKNOWN (or something like that). Back then I was running A2(1.4a), today I'm running A2(2.4).
/Ulrich
07-22-2010 05:43 AM
Hi Ulrich,
Yes, the ACE has supported PKCS12 from the very beginning. You can see the types from the old A1 documentation here. The confusion on behalf of the person that told you that the cert must be broken up into separate PEM files may be the error messsage you receive if you try to import a PKCS12 file and forget to specify the passphrase. It will allow you to import it without the passphrase specified but will complain that it is an invalid type.
Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide