×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SSL Redundancy?

Answered Question
Oct 17th, 2005
User Badges:

I have two CSMs and two SSL Modules in seperate chasis. The CSMs are in FT mode and I want to load balance against the two SSL modules. Do I need to purchase a certificate for both SSL modules for every service? If not, how do I install the cert for a given service on both modules??


Correct Answer by Gilles Dufour about 11 years 10 months ago

Depends how you created your key.

If you did it on the SSLM itself, and if you specified the keyword 'exportable', you should be able to dexport the key with the command 'crypto ca export ...'


See more info in the 2 links below.


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d193.shtml



As a general remark I always recommend to generate keys,certificates and CSR on a separate machine [like a linux server]. It's then easier to import all the info to all your modules.


Regards,


Gilles.

Thanks for rating this answer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Tue, 10/18/2005 - 02:37
User Badges:
  • Cisco Employee,

the fact that you have 2 ssl modules does not matter.

Simply add your certificate to each module separately even if this is the same certificate.


Gilles.

carlsond Tue, 10/18/2005 - 06:30
User Badges:

Thank you.

Is there any chance you could tell me how to go about doing this?? I get the following message when I try adding the cert. "Certificate does not contain router's General Purpose public key for trust point test-tp" I'm guessing I need to copy the keys from the 1st SSL mod but can't find the proccess.

Correct Answer
Gilles Dufour Tue, 10/18/2005 - 22:43
User Badges:
  • Cisco Employee,

Depends how you created your key.

If you did it on the SSLM itself, and if you specified the keyword 'exportable', you should be able to dexport the key with the command 'crypto ca export ...'


See more info in the 2 links below.


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d1c8.shtml


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008037d193.shtml



As a general remark I always recommend to generate keys,certificates and CSR on a separate machine [like a linux server]. It's then easier to import all the info to all your modules.


Regards,


Gilles.

Thanks for rating this answer.

carlsond Wed, 10/19/2005 - 07:25
User Badges:

Thanks. I finally did figure it out but as usual with the CSM/SSL mods never did find the docs. I will file these for future use..


Actions

This Discussion