Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Intermediate CA on CSS 11506

My certificate supplier requires the installation of an intermediate CA on the 'web server' in order for the browser to identify the correct trusted root cert. However, we're terminating SSL on the CSS and I can find no information on how to install intermediate CAs.

Has anybody got this working?

New Member

Re: Intermediate CA on CSS 11506

Detailed answer from Cisco contact (quote):

If their chained cert is in multiple files the following procedure should work:

1) convert all certs to the same format If, on the off chance, the certs are separate and not PEM format, they will need to be converted to PEM format and then concatenated.

2) concatenate all the certs to one file. Make sure the certs are concatenated as they appear in the chain. Server cert first, intermediates and root cert last. (server cert, intermediate cert, root cert)

{normally you don't need the root cert, just all the intermediates}

3) import the concatenated cert into the CSS

4) associate the cert

5) apply the cert association of the ssl-server within the ssl-proxy-list a chained cert is comprised of A signed by B signed by C etc...

The SSL module will send the correct cert to the client and the client will validate it just in the normal procedure for handling certs. The CSS simply needs the certs in the proper order within the PEM file. You should see in the certs (use openSSL to view them) Issued To, and Signed By fields. A typical chain will look like this:

Cert A:

Issued To:

Signed By: some CA

Cert B:

Issued To: some CA

Signed By: Intermediate - VeriSign

Cert C:

Issued To: Intermediate - VeriSign

Signed By: Trusted Root VeriSign

For this chain to be added to the CSS, simply concatenate them into a single file as: A, B, C

The key they need to use is the key that generated the CSR to create the server cert. There is only one key for a cert be it chained or regular. Make sure they "verify" the cert and key after they are imported. If they are wrong this step will save time later on in the config.

You should not need the root cert when you are terminating SSL. This is because the client should have a list of trusted certs. The client will receive the chain from the SSL module and then check it to find the a Trusted CA has signed it. The clients have the browser within themselves and use

their internal cert to verify the cert chain.

When you cut and paste, you will put the server cert first and than the intermediary cert. Include the entire cert including



Leave a blank line between the End of the server cert and the Begin of the intermediary cert.


If this is a all in one chained cert like many of the PKCS#12 certs then just import the chained cert as PKCS#12 and associate/apply it as normal. PKCS#12 are not capable of being concatenated.

DER formats do not support chains, so this should not be an issue.

CreatePlease login to create content