Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Certificate order for SSL ChainGroup on ACE

Hi,

Am trying to determine the correct order for listing intermeadiate certs in a  chain group on the ACE

In the URL

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp999546

"Typically, it is not necessary to add the  certificates to the chain group in any type of hierarchical order  because the device that verifies the certificates determines the correct  order. However, some mobile devices may not be able to order the  certificates properly and will display an error message. In this case,  you need to add the certificates to the chain group in the correct  order. "

However I can not find any reference to what is ' the correct  order '

For example for an Thawte SSL cert the chain could include

THAWTE_PREMIUM_SERVER_CA    (normaly in list of browser root CA's but might not be on mobile device)

- THAWTE_PRIMARY_ROOT_CA

    - THAWTE_SSL_CA

       - ISSUED_CERT

So for a mobile devices freindly chaingroup is the correct order "big-endian"

chaingroup THAWTECHAIN

  cert THAWTE_PREMIUM_SERVER_CA.CER

  cert THAWTE_PRIMARY_ROOT_CA.CER

  cert THAWTE_SSL_CA.CER

Or is the correct order "little-endian"

chaingroup THAWTECHAIN

  cert THAWTE_SSL_CA.CER

  cert THAWTE_PRIMARY_ROOT_CA.CER

  cert THAWTE_PREMIUM_SERVER_CA.CER

thanks,

Sez

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Certificate order for SSL ChainGroup on ACE

Hi Sez,

The preferred order is:

Issued Cert

Intermediates

Root

HTH

Cathy

Silver

Certificate order for SSL ChainGroup on ACE

Only if you use a PKCS12 format file. See

https://supportforums.cisco.com/message/3141328#3141328 for more details.

Cathy

4 REPLIES
Silver

Certificate order for SSL ChainGroup on ACE

Hi Sez,

The preferred order is:

Issued Cert

Intermediates

Root

HTH

Cathy

New Member

Certificate order for SSL ChainGroup on ACE

Thanks for the quick answer Cathy

Wwas also wondering if on the ACE you could use a crypto import to import a full PEM cert/key "file"

i.e. a PEM that not only contained the cert/key pair but also all the intermediate and root certs as well

If this crypto import was done to say  MYCERT.PEM  Then on the ACE  ssl-proxy service you could just reference this file and not require a seperate chaingroup listing?  i.e.: -

ssl-proxy service MY-SSL-SERVICE

key MYCERT.PEM

cert MYCERT.PEM

This is was the setup on CSS's - wondering is same true for ACE (but not had op to try out yet)

rgds, Sez

Silver

Certificate order for SSL ChainGroup on ACE

Only if you use a PKCS12 format file. See

https://supportforums.cisco.com/message/3141328#3141328 for more details.

Cathy

New Member

Certificate order for SSL ChainGroup on ACE

Thanks for pointing that one out Cathy

- I had fallen for that old trap of believing the doco which still says PEM only :-)

About time that doco got fixed up if the ACE has always supported PKCS / DER / PEM and we're on f/w ver A5 now...!

thanks again,

Sez

2777
Views
0
Helpful
4
Replies