Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2715
Views
0
Helpful
3
Replies

SSL proxy using p12 certificate file

Go to solution
liangzheng
Level 1
Level 1

‎10-04-2010 08:39 AM

Hi,

I am configuring SSL termination for a e-commence site. The only certificate and key file for the site is in .p12 format. I have successfully imported the file in ACE context:

Tor-ACE/StagingFrontEnd-LB# sh crypto files

Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                      5066  PKCS12  No         BOTH

Tor-ACE/StagingFrontEnd-LB# 

However, when I configured this cert and key in SSL proxy service, the SSL proxy server didn't work. When I change the cert and key file to cisco sample file, it was working.

Any help will be appreciated.

James

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎10-04-2010 01:33 PM

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key secure.seOOOO.ca.p12
  cert secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



View solution in original post

0 Helpful
3 Replies 3

Go to solution
cpomeroy
Level 1
Level 1

‎10-04-2010 08:44 AM

James,

    In order for the ACE to terminate SSL, the certs/key need to be in PEM format.  Please see the attached configuration guide for SSL.

Thanks

Chris

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/certkeys.html#wp1052415

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎10-04-2010 01:33 PM

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key secure.seOOOO.ca.p12
  cert secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



0 Helpful

Go to solution
liangzheng
Level 1
Level 1
In response to Pablo

‎10-04-2010 02:01 PM

Thanks guys,

I got it work. The ACE does accept p12 certificate and key file. It was some configuration problem on web servers. I also have tried use openssl command to convert p12 to pem format and applied them in to ACE. it works either way.

James

0 Helpful
Customers Also Viewed These Support Documents