Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL Module Certificate Installation

First time SSL newbie question.

I am trying to get a certificate installed on an SSL Mod. using the cut and paste method. I generated a key pair, configured the trustpoint, generated a certificate request and pasted it into verisigns site. The reply I received, I'm assuming is the certificate authority certificate and I imported it. Now I'm supposed to import a server certificate?? How do I get this?? Did I do something wrong??

Thank you..

6 REPLIES
New Member

Re: SSL Module Certificate Installation

You need to paste the response from Verisign together with their intermediate certificate into a file and then import that file onto the css. Then associate the file so the css knows it's a cert. If the css doesn't like the file, try the paste/import again. The load it with the key file into the ssl-proxy list.

New Member

Re: SSL Module Certificate Installation

What I was missing was the Certificate Authority Certificate. I'm assuming this is what you mean by the intermediate cert. Verisign talked me through exporting their cert from Internet exporer. Once this cert is imported via "crypto ca authenticate truspointname" then you can import the server cert via "crypto ca import truspointname certificate".

New Member

Re: SSL Module Certificate Installation

If verisign had you export a certificate from IE that was most likely their root certificate. From my experience you need a root, intermediate and server certificate for the chain to properly form. Take care

New Member

Re: SSL Module Certificate Installation

Hi,

I'm struggling through this as well. The process seems straightforward. I follow all the steps, get the combined certificates uploaded (intermediate and server cert), but when I try to activate the ssl-proxy-list I get an error:

"Error in ssl-server 10: RSA Cert/Key Verify %% Certificate and key files do not match."

I get the same type of message if I try to do "ssl verify"

Did you run into this?

New Member

Re: SSL Module Certificate Installation

If you regenerated the key pair after installing the cert I could see you getting a message like that. You might just try starting from scratch. Revoke your cert and and get a new one created.. I used the process on pages 3-12 and 3-13 of the "Catalyst 6500 Series Switch SSL Services Module Configuration Note rel 2.1". One other thing I learned the hard way is when generating the trustpoint make sure your subject-name CN equals your VIP DNS name exactly otherwise it can cause issues.

New Member

Re: SSL Module Certificate Installation

Thanks. I found the problem. I called TAC and spoke with Jay Kelly (He rocks, I've worked with hiom before), and he pointed out a glaring discrepency in the documentation for doing this. When combining the intermediate and server certs, the server cert goes first and the intermediate second. The on-line docs say the opposite. Also, The two certs should not be seperated. In other words, paste in the server cert, hit enter after the trailing -----, and then paste in the intermediate cert with no trailing carraige return.

Hope this helps someone else.

386
Views
0
Helpful
6
Replies
CreatePlease to create content