I am trying to get a certificate installed on an SSL Mod. using the cut and paste method. I generated a key pair, configured the trustpoint, generated a certificate request and pasted it into verisigns site. The reply I received, I'm assuming is the certificate authority certificate and I imported it. Now I'm supposed to import a server certificate?? How do I get this?? Did I do something wrong??
You need to paste the response from Verisign together with their intermediate certificate into a file and then import that file onto the css. Then associate the file so the css knows it's a cert. If the css doesn't like the file, try the paste/import again. The load it with the key file into the ssl-proxy list.
What I was missing was the Certificate Authority Certificate. I'm assuming this is what you mean by the intermediate cert. Verisign talked me through exporting their cert from Internet exporer. Once this cert is imported via "crypto ca authenticate truspointname" then you can import the server cert via "crypto ca import truspointname certificate".
If verisign had you export a certificate from IE that was most likely their root certificate. From my experience you need a root, intermediate and server certificate for the chain to properly form. Take care
I'm struggling through this as well. The process seems straightforward. I follow all the steps, get the combined certificates uploaded (intermediate and server cert), but when I try to activate the ssl-proxy-list I get an error:
"Error in ssl-server 10: RSA Cert/Key Verify %% Certificate and key files do not match."
I get the same type of message if I try to do "ssl verify"
If you regenerated the key pair after installing the cert I could see you getting a message like that. You might just try starting from scratch. Revoke your cert and and get a new one created.. I used the process on pages 3-12 and 3-13 of the "Catalyst 6500 Series Switch SSL Services Module Configuration Note rel 2.1". One other thing I learned the hard way is when generating the trustpoint make sure your subject-name CN equals your VIP DNS name exactly otherwise it can cause issues.
Thanks. I found the problem. I called TAC and spoke with Jay Kelly (He rocks, I've worked with hiom before), and he pointed out a glaring discrepency in the documentation for doing this. When combining the intermediate and server certs, the server cert goes first and the intermediate second. The on-line docs say the opposite. Also, The two certs should not be seperated. In other words, paste in the server cert, hit enter after the trailing -----, and then paste in the intermediate cert with no trailing carraige return.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...