Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
4
Replies

CSS SSL Wildcard Cert configuration

olge
Level 1
Level 1

‎11-03-2006 07:59 AM

Hi,

We have CSS 11503

We learned that CSS SSL Module should support wildcard certificate. Well, when we try using such cert, by hitting the webpage, the page hangs as the cert is not trusted. When we use a regular cert, everything works fine.

The certificate has been signed with a 2000 CA.

Any ideas?

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-03-2006 09:59 AM

the CSS supports wildcard certificate.

If the cert was not trusted you would get a warning asking you to accept or reject the page but no hang.

The hang means there is something else more important no working.

You should capture a sniffer trace on the client and open a service request with the TAC.

If you do not run the latest 7.50 or 8.10 version you may want to upgrade first as there was some improvement recently in this area of the code.

Gilles.

0 Helpful

olge
Level 1
Level 1
In response to Gilles Dufour

‎11-03-2006 11:10 AM

Giles,

Thanks for the answer,

Here is the configuration that I am using, most of it taken from CSS Examples given by Citrix.

The same configuration works for regular, not wildcard cert. Could it be it does not work b/c it was signed by 2000 CA? I am doing the wildcard cert with 2000 CA before purchasing Verisign's cert.

ssl-server 150

ssl-server 150 vip address 10.6.144.71

ssl-server 150 rsacert wildhstsupp_cert

ssl-server 150 rsakey wildcardhstsupp_rsakey

ssl-server 150 cipher rsa-with-3des-ede-cbc-sha 10.6.144.71 80

service SUPPWEB

type ssl-accel

add ssl-proxy-list ssl_list1

slot 3

keepalive type none

active

service HSTSUPPPROXY01-p_80

ip address 10.6.228.10

protocol tcp

port 80

keepalive type tcp

active

owner Test

content SUPPWEB_443_71

vip address 10.6.144.71

application ssl

add service SUPPWEB

port 443

protocol tcp

flow-timeout-multiplier 20

active

content SUPPWEB_80_71

vip address 10.6.144.71

protocol tcp

port 80

url "/*"

add service HSTSUPPPROXY01-p_80

active

I guess next step would be opening request with TAC..

Thanks again

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to olge

‎11-05-2006 11:23 PM

the css really does not care what certificate you use as long as it matches the key.

So, looking at the config won't help.

We will need your certificate and key to see if we have the same issue and what might be the problem.

Gilles.

0 Helpful

olge
Level 1
Level 1
In response to Gilles Dufour

‎11-06-2006 06:02 AM

Gilles,

The config was good, it ended up being an ISA server issue which was proxying CSS traffic...

Appriciate all your help.

Alec

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents