Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Configuring SSL certificate on CSS 11500

Trying to set up a transparent SSL proxy from our CSS 11503 to 3 Microsoft IIS6 servers. Don't need sticky sessions as we are using an IMDB on a secondary network on the web servers so hitting any one will preserve session. All traffic uses SSL, no HTTP allowed.

Did the following:

1) ssl genrsa RSAkey1 1024 "pwd"

2) ssl associate rsakey RSA1 RSAkey1

3) ssl gencsr RSAkey1

4) copied CSR into Verisign MPKI portal and selected Microsoft as the OS (LB 3 IIS6 servers)

5) Concatenate Verisign Intermediate with cert returned from step 4

6) copy ssl sftp ssl_record import chainedcsrt.cer PEM "pwd"

7) ssl associate cert Cert1 chainedcert.cer


%% Not a valid key or certificate file

Tried with just base cert received from step 4 and get same error.

However, if I export one of the certs and private key from one of the Windows 2003 servers import it. This works:

1) copy ssl sftp ssl_record import mycert.pfx PKCS12 "pwd" "pwd"

2) ssl associate cert Cert1 mycert.pfx

3) ssl associate rsakey RSA1 mycert.pfx

show ssl assoc indicates all is well.

How do I install a cert generated entirely from the CSS by submitting the csr to Verisign? Do I need to pick a different OS option? There is nothing listed for a CSS although there are options for other load balancers...




Re: Configuring SSL certificate on CSS 11500

May be you enable the unwanted things make sure ie passphare etc.

New Member

Re: Configuring SSL certificate on CSS 11500

I should also add that prior to this I ran through the same 7 steps above but in step (4) I used a Microsoft Windows Server 2003 Certificate Server to submit the CSR generated from the CSS and in step (5) I concatenated the root CA from the Certificate Server with the certificate generated from the CSR and successfully imported, set up the ssl associations, ssl-proxy-list, and had a working VIP.

Doing this validated the documented Cisco process but this same process fails when using the Verisign Managed PKI portal and I have yet to discover why.

I also tried changing the order of concatenation but that gave the same error.

New Member

Re: Configuring SSL certificate on CSS 11500


You could try to pick the Sonicwall OS Option on verisign. We were able to use the CSR (generated from the CSS) using this option.

CreatePlease to create content