Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS 11500 and SSL Certificates with Extended Validation

Hi guys,

can me somebody explain how to import Verisign certificate (SSL Certificates with Extended Validation)?

I done this many times, but today I have problem with it. This is first time, that I import SSL certificate with "extended validation", but I think technique is the same. I'm right?

ok, step by step:

1. I sent CSR to verisign

2. I got certificate for my domain in x509 format. I don't know what the format of the file was, but all certificates (all cert.chain) was in one part:

-----BEGIN CERTIFICATE-----

asdadas all 4 certificates <cut>

-----END CERTIFICATE-----

I have import this file to browser and export as 'chain'. I got one x509 format file, with 4 certificates:

-----BEGIN CERTIFICATE-----

my service <cut>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

CA EV certificate <cut>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

CA certificate <cut>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

ROOT-CA certificate <cut>

-----END CERTIFICATE-----

3. CSS SSL configuration is ok. I done this many times. Certificate and private key verification is ok. But client browser shows:

"my.domain.com uses an invalid security certificate. The certificate does not come from a trusted source. (Error code: sec_error_untrusted_cert)"

ok, maybe intermediate certificate is missing (well-known problem: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801e8071.shtml)

by the way, this intermediate certificate (Secure Site Pro with EV Root bundle: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657) is included in the certificate.

I tried add it to the end of the certificate, but the same result.

Where is the problem? Thanks for help.

martin

1 REPLY
Cisco Employee

Re: CSS 11500 and SSL Certificates with Extended Validation

Martin,

EV certificates have been tested with the CSS and they work fine.

You also seem to know the procedure to install chained certificates.

So, I can only suggest to open a service request with the TAC and provide them your key and certs so that we can try it in our lab.

Gilles.

280
Views
0
Helpful
1
Replies