Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL proxy using p12 certificate file

Hi,

I am configuring SSL termination for a e-commence site. The only certificate and key file for the site is in .p12 format. I have successfully imported the file in ACE context:

Tor-ACE/StagingFrontEnd-LB# sh crypto files

Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                      5066  PKCS12  No         BOTH

Tor-ACE/StagingFrontEnd-LB# 

However, when I configured this cert and key in SSL proxy service, the SSL proxy server didn't work. When I change the cert and key file to cisco sample file, it was working.

Any help will be appreciated.

James

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SSL proxy using p12 certificate file

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key
secure.seOOOO.ca.p12
  cert
secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



3 REPLIES
New Member

Re: SSL proxy using p12 certificate file

James,

    In order for the ACE to terminate SSL, the certs/key need to be in PEM format.  Please see the attached configuration guide for SSL.

Thanks

Chris

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/certkeys.html#wp1052415

Cisco Employee

Re: SSL proxy using p12 certificate file

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key
secure.seOOOO.ca.p12
  cert
secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



New Member

Re: SSL proxy using p12 certificate file

Thanks guys,

I got it work. The ACE does accept p12 certificate and key file. It was some configuration problem on web servers. I also have tried use openssl command to convert p12 to pem format and applied them in to ACE. it works either way.

James

1939
Views
0
Helpful
3
Replies
CreatePlease login to create content