Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
5
Helpful
4
Replies

SSL chaingroup

Go to solution
ajay chauhan
Level 7
Level 7

‎07-24-2012 06:17 AM

Hi,

looking for explanation what is chaingroup and used for what .is this something related to wildcard  ?

Thanks

Ajay               

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cpomeroy
Level 1
Level 1
In response to Jorge Bejarano

‎07-24-2012 08:48 AM

Just to chime on on this.   A certifcate chain normally would look like this.

Root CA  ---> Intermediate CA --->  Server Certificate

The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.

Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate.  If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated.  So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it.  This will allow the ACE to pass the full certifcate chain to the client.  Thus allowing the client to fully authenticate the server certificate.

Chris

View solution in original post

4 Replies 4

Go to solution
Jorge Bejarano
Level 4
Level 4

‎07-24-2012 07:34 AM

Hello Ajay,

"The chaingroup feature under the ssl-proxy service is designed to give the additional

certificates beyond the server certificate.

For SSL termination, you need to have a minimum of a key and server cert defined/established in the

ssl-proxy service, then (optional) you can define a chaingroup.

The chaingroup would contain the certificate that signed the server cert and (optionally)

any additional certificates in the chain, up to the root."

Sometimes, some browsers require to have not only the key and server cert but also the rest of certificates of the chain

Please mark if it is useful

Hope, this helps.

Jorge

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Jorge Bejarano

‎07-24-2012 07:53 AM

Hi Jorge,

I agree with your statement-

For SSL termination, you need to have a minimum of a key and server cert defined/established in the

ssl-proxy service.

However still not clear on chaingroup. what comes as a requirment to using chaingroup ? is it something multiple certs for same VIP or something else .

Thanks

Ajay

0 Helpful

Go to solution
Jorge Bejarano
Level 4
Level 4
In response to ajay chauhan

‎07-24-2012 08:02 AM

Hello Ajay,

It is something optional. Sometimes some browsers require to have the intermediate certificates besides the key and server cert, then that's where you configure the chaingroup to provide them to it.

Jorge

0 Helpful

Go to solution
cpomeroy
Level 1
Level 1
In response to Jorge Bejarano

‎07-24-2012 08:48 AM

Just to chime on on this.   A certifcate chain normally would look like this.

Root CA  ---> Intermediate CA --->  Server Certificate

The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.

Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate.  If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated.  So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it.  This will allow the ACE to pass the full certifcate chain to the client.  Thus allowing the client to fully authenticate the server certificate.

Chris

Customers Also Viewed These Support Documents