Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need advice renewing Thwarte Certificate on CSS11503

Hi,

I'm after some guideance as to how to renew a Thwarte server certificate on a pair of CSS11503 devices.

My customer has received the certificate from Thwarte and it's in .pxf format. He said that when they last renewed they didn't need to generate a a CSR, so looking at Thwarte's web site I'm assuming this means that the CSR is re-signable within their system.

The documentation on CCO states that I then need to copy the file onto the CSS.

My first query is, will I be able to copy a .pxf file onto the CSS as from the syntax it look like the device is expecting a PEM file.

The next query I have is, how do I know what is inside a .pxf file? Do I need to contact Thwarte or is the .pxf format always just a certificate?
This question refers to this paragraph in the docs;

"After you import or generate certificate and key pair files, you must indicate to the CSS whether these files contain certificates, private keys, or Diffie-Hellman parameters. You do this by associating certificate names, private/public key pair names, or Diffie-Hellman parameter names with the particular imported files"

If anyone can give me any pointers on this I'd appreciate it

Many Thanks, Dom

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Need advice renewing Thwarte Certificate on CSS11503

Dom

If you want to roll back, I recommend you copy and associate the new cert with other name as below.

copy ssl ftp DEFAULT_FTP import LoadBalancer_new.pfx PKCS12 "password" "password"

(config)# ssl associate cert *.mysite.co.uk_new LoadBalancer_new.pfx

(config)# ssl associate rsakey *.mysite.co.uk_new LoadBalancer_new.pfx

If you face the problem, you can roll back the cert by changing ssl-proxy-list only.

The following is a step to import, apply new cert and rollback config.

## initial config

!*************************** GLOBAL ***************************

  ssl associate rsakey oldkey old.p12

  ssl associate cert oldcert old.p12

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

  ssl-server 1

  ssl-server 1 vip address 192.168.77.100

  ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80

  ssl-server 1 rsakey oldkey

  ssl-server 1 rsacert oldcert

  active

## import the new cert

CSS11503# copy ssl ftp DEFAULT_FTP import new.p12 PKCS12 "cisco" "cisco"

CSS11503# conf t

CSS11503(config)# ssl associate rsakey newkey new.p12

CSS11503(config)# ssl associate cert newcert new.p12

CSS11503(config)# ssl-proxy-list test

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey newkey

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert newcert

CSS11503(config-ssl-proxy-list[test])# sus  <<== Even when suspended the ssl-proxy-list, connections are not disconnected and CSS  keeps using old cert. When 'active' command was issued, existing connections are disconnected and new key and cert are loaded on CSS.

CSS11503(config-ssl-proxy-list[test])# act

## new config

!*************************** GLOBAL ***************************

  ssl associate rsakey oldkey old.p12

  ssl associate cert oldcert old.p12

  ssl associate rsakey newkey new.p12

  ssl associate cert newcert new.p12

  ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

  ssl-server 1

  ssl-server 1 vip address 192.168.77.100

  ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80

  ssl-server 1 rsakey newkey

  ssl-server 1 rsacert newcert

  active

If CSS works fine after activating ssl-proxy-list, you can remove old cert.

If CSS doesn't work, you can roll back with the following config.

CSS11503# conf t

CSS11503(config)# ssl-proxy-list test

CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsakey

CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsacert

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey oldkey

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert oldcert

CSS11503(config-ssl-proxy-list[test])# sus

CSS11503(config-ssl-proxy-list[test])# act

Regards,

Yuji

4 REPLIES
Cisco Employee

Re: Need advice renewing Thwarte Certificate on CSS11503

I'm not sure about .pxf format. Does it mean Personal Information Exchange(PFX) file?

If so, you can import this file as pkcs12 format.

--

.pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)

http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions

--

To copy this file into CSS, please issue 'copy ssl' command as below.

CSS11503# copy ssl ftp DEFAULT_FTP import pkcs.p12 PKCS12 "cisco" "cisco"

DEFAULT_FTP : ftp record

pkcs.p12 : cert file

first cisco : The password used to DES encode the file

second cisco : The pass-phrase used to protect the contents of the file

For more detail regarding 'copy ssl' command, please refer to the following URL.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.30/configuration/security/guide/SSL.html#wp1451811

After importing, you can see the file as below.

CSS11503(config)# show ssl files

File Name                       File Type File Size

----------------                --------- ------------

rsakey                          PEM        887

rsacert                         PEM        1050

pkcs.p12                          PKCS12     2389 <<==

And also you can associate the key and cert with 'ssl associate' command as below.
CSS11503(config)# ssl associate cert mycert pkcs.p12
CSS11503(config)# ssl associate rsakey mykey pkcs.p12
CSS11503# sh run global
!*************************** GLOBAL ***************************
  ssl associate cert mycert pkcs.p12
  ssl associate rsakey mykey pkcs.p12

To verity cert file with your pc, you will need to install openssl and issue 'openssl pkcs12' command as below.

You can confirm the cert and key.

# openssl pkcs12 -in pkcs.p12

Enter Import Password:

MAC verified OK

Bag Attributes

    localKeyID: 63 D4 36 FB 69 E1 DC 76 AD 38 0B 18 87 E7 63 28 46 35 73 BE

subject=/C=JP/ST=Tokyo/L=Shinjuku/O=CiscoSystems/OU=Japan-TAC/CN=yushimaz/emailAddress=yushimaz@cisco.com

issuer=/C=JP/ST=Tokyo/L=Shinjuku/O=cisco/OU=TAC/CN=yushimaz/emailAddress=yushimaz@cisco.com

-----BEGIN CERTIFICATE-----   <<== cert

MIIDEjCCAnsCCQDr6c7BldcySTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC

[snip]

-----END CERTIFICATE-----

Bag Attributes

    localKeyID: 63 D4 36 FB 69 E1 DC 76 AD 38 0B 18 87 E7 63 28 46 35 73 BE

Key Attributes:

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN RSA PRIVATE KEY-----  <<== private key

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,426191720D232453

JV5+HCfNgJtXg01lJ2pe1baQHaTK8kOFEHNIw9jbmZpiPsTIHfbmHScQuII6yciR

[snip]

-----END RSA PRIVATE KEY-----

#

Regards,

Yuji

New Member

Re: Need advice renewing Thwarte Certificate on CSS11503

Thanks for your reply Yuji

You're right I made a mistake with the file extension;

CSS-02# show ssl files
File Name                       File Type File Size
----------------                --------- ------------
LoadBalancer.pfx                PKCS12     3169 
  

I also have the following in the config


  ssl associate cert *.mysite.co.uk LoadBalancer.pfx
  ssl associate rsakey *.mysite.co.uk LoadBalancer.pfx

So once I've FTP'd the new cert onto the CSS, how do I apply it?

And is it possible I can keep the old one there to roll back if I run into any problems once the new one is applied?

Many Thanks, Dom

Cisco Employee

Re: Need advice renewing Thwarte Certificate on CSS11503

Dom

If you want to roll back, I recommend you copy and associate the new cert with other name as below.

copy ssl ftp DEFAULT_FTP import LoadBalancer_new.pfx PKCS12 "password" "password"

(config)# ssl associate cert *.mysite.co.uk_new LoadBalancer_new.pfx

(config)# ssl associate rsakey *.mysite.co.uk_new LoadBalancer_new.pfx

If you face the problem, you can roll back the cert by changing ssl-proxy-list only.

The following is a step to import, apply new cert and rollback config.

## initial config

!*************************** GLOBAL ***************************

  ssl associate rsakey oldkey old.p12

  ssl associate cert oldcert old.p12

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

  ssl-server 1

  ssl-server 1 vip address 192.168.77.100

  ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80

  ssl-server 1 rsakey oldkey

  ssl-server 1 rsacert oldcert

  active

## import the new cert

CSS11503# copy ssl ftp DEFAULT_FTP import new.p12 PKCS12 "cisco" "cisco"

CSS11503# conf t

CSS11503(config)# ssl associate rsakey newkey new.p12

CSS11503(config)# ssl associate cert newcert new.p12

CSS11503(config)# ssl-proxy-list test

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey newkey

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert newcert

CSS11503(config-ssl-proxy-list[test])# sus  <<== Even when suspended the ssl-proxy-list, connections are not disconnected and CSS  keeps using old cert. When 'active' command was issued, existing connections are disconnected and new key and cert are loaded on CSS.

CSS11503(config-ssl-proxy-list[test])# act

## new config

!*************************** GLOBAL ***************************

  ssl associate rsakey oldkey old.p12

  ssl associate cert oldcert old.p12

  ssl associate rsakey newkey new.p12

  ssl associate cert newcert new.p12

  ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

  ssl-server 1

  ssl-server 1 vip address 192.168.77.100

  ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80

  ssl-server 1 rsakey newkey

  ssl-server 1 rsacert newcert

  active

If CSS works fine after activating ssl-proxy-list, you can remove old cert.

If CSS doesn't work, you can roll back with the following config.

CSS11503# conf t

CSS11503(config)# ssl-proxy-list test

CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsakey

CSS11503(config-ssl-proxy-list[test])# no ssl-server 1 rsacert

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsakey oldkey

CSS11503(config-ssl-proxy-list[test])# ssl-server 1 rsacert oldcert

CSS11503(config-ssl-proxy-list[test])# sus

CSS11503(config-ssl-proxy-list[test])# act

Regards,

Yuji

New Member

Re: Need advice renewing Thwarte Certificate on CSS11503

Hi Yuji,

I did this change last night and it went like a dream

Thank you so much for your help - much appreciated!

The only thing I had to do differently was that I had to suspend the proxy list before making the changes

Cheers, Dom

546
Views
9
Helpful
4
Replies
CreatePlease to create content