08-26-2010 04:38 AM
Hi,
I'm after some guideance as to how to renew a Thwarte server certificate on a pair of CSS11503 devices.
My customer has received the certificate from Thwarte and it's in .pxf format. He said that when they last renewed they didn't need to generate a a CSR, so looking at Thwarte's web site I'm assuming this means that the CSR is re-signable within their system.
The documentation on CCO states that I then need to copy the file onto the CSS.
My first query is, will I be able to copy a .pxf file onto the CSS as from the syntax it look like the device is expecting a PEM file.
The next query I have is, how do I know what is inside a .pxf file? Do I need to contact Thwarte or is the .pxf format always just a certificate?
This question refers to this paragraph in the docs;
"After you import or generate certificate and key pair files, you must indicate to the CSS whether these files contain certificates, private keys, or Diffie-Hellman parameters. You do this by associating certificate names, private/public key pair names, or Diffie-Hellman parameter names with the particular imported files"
If anyone can give me any pointers on this I'd appreciate it
Many Thanks, Dom
Solved! Go to Solution.
08-29-2010 07:19 PM
Dom
If you want to roll back, I recommend you copy and associate the new cert with other name as below.
copy ssl ftp DEFAULT_FTP import LoadBalancer_new.pfx PKCS12 "password" "password"
(config)# ssl associate cert *.mysite.co.uk_new LoadBalancer_new.pfx
(config)# ssl associate rsakey *.mysite.co.uk_new LoadBalancer_new.pfx
If you face the problem, you can roll back the cert by changing ssl-proxy-list only.
The following is a step to import, apply new cert and rollback config.
## initial config
!*************************** GLOBAL ***************************
ssl associate rsakey oldkey old.p12
ssl associate cert oldcert old.p12
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list test
ssl-server 1
ssl-server 1 vip address 192.168.77.100
ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80
ssl-server 1 rsakey oldkey
ssl-server 1 rsacert oldcert
active
## import the new cert
CSS11503# copy ssl ftp DEFAULT_FTP import new.p12 PKCS12 "cisco" "cisco"
CSS11503# conf t
CSS11503(config)# ssl associate rsakey newkey new.p12
CSS11503(config)# ssl associate cert newcert new.p12
CSS11503(config)# ssl-proxy-list test
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey newkey
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert newcert
CSS11503(config-ssl-proxy-list[test])# sus <<== Even when suspended the ssl-proxy-list, connections are not disconnected and CSS keeps using old cert. When 'active' command was issued, existing connections are disconnected and new key and cert are loaded on CSS.
CSS11503(config-ssl-proxy-list[test])# act
## new config
!*************************** GLOBAL ***************************
ssl associate rsakey oldkey old.p12
ssl associate cert oldcert old.p12
ssl associate rsakey newkey new.p12
ssl associate cert newcert new.p12
ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list test
ssl-server 1
ssl-server 1 vip address 192.168.77.100
ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80
ssl-server 1 rsakey newkey
ssl-server 1 rsacert newcert
active
If CSS works fine after activating ssl-proxy-list, you can remove old cert.
If CSS doesn't work, you can roll back with the following config.
CSS11503# conf t
CSS11503(config)# ssl-proxy-list test
CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsakey
CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsacert
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey oldkey
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert oldcert
CSS11503(config-ssl-proxy-list[test])# sus
CSS11503(config-ssl-proxy-list[test])# act
Regards,
Yuji
08-26-2010 07:14 PM
I'm not sure about .pxf format. Does it mean Personal Information Exchange(PFX) file?
If so, you can import this file as pkcs12 format.
--
.pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)
http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions
--
To copy this file into CSS, please issue 'copy ssl' command as below.
CSS11503# copy ssl ftp DEFAULT_FTP import pkcs.p12 PKCS12 "cisco" "cisco"
DEFAULT_FTP : ftp record
pkcs.p12 : cert file
first cisco : The password used to DES encode the file
second cisco : The pass-phrase used to protect the contents of the file
For more detail regarding 'copy ssl' command, please refer to the following URL.
After importing, you can see the file as below.
CSS11503(config)# show ssl files
File Name File Type File Size
---------------- --------- ------------
rsakey PEM 887
rsacert PEM 1050
pkcs.p12 PKCS12 2389 <<==
To verity cert file with your pc, you will need to install openssl and issue 'openssl pkcs12' command as below.
You can confirm the cert and key.
# openssl pkcs12 -in pkcs.p12
Enter Import Password:
MAC verified OK
Bag Attributes
localKeyID: 63 D4 36 FB 69 E1 DC 76 AD 38 0B 18 87 E7 63 28 46 35 73 BE
issuer=/C=JP/ST=Tokyo/L=Shinjuku/O=cisco/OU=TAC/CN=yushimaz/emailAddress=yushimaz@cisco.com
-----BEGIN CERTIFICATE----- <<== cert
MIIDEjCCAnsCCQDr6c7BldcySTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
[snip]
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 63 D4 36 FB 69 E1 DC 76 AD 38 0B 18 87 E7 63 28 46 35 73 BE
Key Attributes:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY----- <<== private key
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,426191720D232453
JV5+HCfNgJtXg01lJ2pe1baQHaTK8kOFEHNIw9jbmZpiPsTIHfbmHScQuII6yciR
[snip]
-----END RSA PRIVATE KEY-----
#
Regards,
Yuji
08-27-2010 06:58 AM
Thanks for your reply Yuji
You're right I made a mistake with the file extension;
CSS-02# show ssl files
File Name File Type File Size
---------------- --------- ------------
LoadBalancer.pfx PKCS12 3169
I also have the following in the config
ssl associate cert *.mysite.co.uk LoadBalancer.pfx
ssl associate rsakey *.mysite.co.uk LoadBalancer.pfx
So once I've FTP'd the new cert onto the CSS, how do I apply it?
And is it possible I can keep the old one there to roll back if I run into any problems once the new one is applied?
Many Thanks, Dom
08-29-2010 07:19 PM
Dom
If you want to roll back, I recommend you copy and associate the new cert with other name as below.
copy ssl ftp DEFAULT_FTP import LoadBalancer_new.pfx PKCS12 "password" "password"
(config)# ssl associate cert *.mysite.co.uk_new LoadBalancer_new.pfx
(config)# ssl associate rsakey *.mysite.co.uk_new LoadBalancer_new.pfx
If you face the problem, you can roll back the cert by changing ssl-proxy-list only.
The following is a step to import, apply new cert and rollback config.
## initial config
!*************************** GLOBAL ***************************
ssl associate rsakey oldkey old.p12
ssl associate cert oldcert old.p12
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list test
ssl-server 1
ssl-server 1 vip address 192.168.77.100
ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80
ssl-server 1 rsakey oldkey
ssl-server 1 rsacert oldcert
active
## import the new cert
CSS11503# copy ssl ftp DEFAULT_FTP import new.p12 PKCS12 "cisco" "cisco"
CSS11503# conf t
CSS11503(config)# ssl associate rsakey newkey new.p12
CSS11503(config)# ssl associate cert newcert new.p12
CSS11503(config)# ssl-proxy-list test
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey newkey
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert newcert
CSS11503(config-ssl-proxy-list[test])# sus <<== Even when suspended the ssl-proxy-list, connections are not disconnected and CSS keeps using old cert. When 'active' command was issued, existing connections are disconnected and new key and cert are loaded on CSS.
CSS11503(config-ssl-proxy-list[test])# act
## new config
!*************************** GLOBAL ***************************
ssl associate rsakey oldkey old.p12
ssl associate cert oldcert old.p12
ssl associate rsakey newkey new.p12
ssl associate cert newcert new.p12
ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list test
ssl-server 1
ssl-server 1 vip address 192.168.77.100
ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80
ssl-server 1 rsakey newkey
ssl-server 1 rsacert newcert
active
If CSS works fine after activating ssl-proxy-list, you can remove old cert.
If CSS doesn't work, you can roll back with the following config.
CSS11503# conf t
CSS11503(config)# ssl-proxy-list test
CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsakey
CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsacert
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey oldkey
CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert oldcert
CSS11503(config-ssl-proxy-list[test])# sus
CSS11503(config-ssl-proxy-list[test])# act
Regards,
Yuji
09-01-2010 02:29 AM
Hi Yuji,
I did this change last night and it went like a dream
Thank you so much for your help - much appreciated!
The only thing I had to do differently was that I had to suspend the proxy list before making the changes
Cheers, Dom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: