Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Configuring SSL termination on ACE

Hi,

Can someone explain what is SSL proxy service used for.

Also, please give a one liner description of the below entries.

ssl-proxy service PSERVICE_SERVER

key ACEKEY.PEM

cert ACEIDM-CERT.PEM

chaingroup CISCOSSLCA-group

ssl advanced-options PARAMMAP_SSL

Lastly, why is PEM extension used for certificate. Can other extensions be used as well like CER etc.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Configuring SSL termination on ACE

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

http://www.petefreitag.com/item/16.cfm

Syed Iftekhar Ahmed

9 REPLIES

Re: Configuring SSL termination on ACE

SSL proxy server is used to define the server certs, Intermediate certs (if any - using chaingroup) and RSA Key pairs that should be used to Offload SSL.

Following will be the line by line description

key ACEKEY.PEM <-- Use ACEKEY.PEM named RSA key to offload request

cert ACEIDM-CERT.PEM <-- USe this server certificate to offload SSL request

chaingroup CISCOSSLCA-group <-- Use this chain group to complete Cert chain. This cahin group is configured seperately and it carries all the intermediate certs needed to complete the certificate chain.

ssl advanced-options PARAMMAP_SSL <- This SSL type parameter map is also created seperately and it include the supported SSL version and SSL ciphers

If you don't use SSL type parameter type then by default ACE supports all ciphers & all SSL versions.

ACE supports PEM, DER & PKCS12 formats. You can use any extensions as long as the certs follow one of the above mentioned standards.

Syed

Community Member

Re: Configuring SSL termination on ACE

Ok.

If we were to use an SSL certificate on ACE module for lets say six months and then we replace the ACE module. Can the same certificate be used in the newly installed ACE module or would a new SSL certificate be required.

Thanks.

Re: Configuring SSL termination on ACE

No worries..

You can export the RSA keypair and Certificates from one ACE and can import it to another ACE.

Syed

Community Member

Re: Configuring SSL termination on ACE

In reference to your previous post, does SSL proxy service need to be a dedicated server required to hold the server certificates.

Re: Configuring SSL termination on ACE

Its just a configuration object defined on ACE that holds the relevant SSL objects (cert,key,cert chain, allowed ciphers..). You can have multiple SSL proxy services that can be used by ACE to offload traffic for different applications.

Syed

Community Member

Re: Configuring SSL termination on ACE

Hi,

Once I generate the key, how can I list it in the ACE file system.

I believe the key will be added from the local file system on ACE.

Also, it is ok that the key is in PEM format and the Certificate is in DER format.

Re: Configuring SSL termination on ACE

show crypto files

will show you all keys & certs on ACE.

Using openssl you can easily convert pem-->DER and vice versa.

Syed Iftekhar Ahmed

Community Member

Re: Configuring SSL termination on ACE

Would you know whether MS IIS - Certificate Authority supports PEM format.

I can only see PKCS and DER.

Re: Configuring SSL termination on ACE

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

http://www.petefreitag.com/item/16.cfm

Syed Iftekhar Ahmed

506
Views
5
Helpful
9
Replies
CreatePlease to create content