topic Re: ACE module - end-to-end SSL in Application Networking

ACE module - end-to-end SSL

deephazz02 — Fri, 11 Apr 2008 15:52:26 GMT

Hello,

I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.

I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".

Is there any clear documentation on how to configure an end to end SSL ?

I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.

I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.

Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

Re: ACE module - end-to-end SSL

Gilles Dufour — Mon, 14 Apr 2008 09:18:06 GMT

before configuring ssl, you need to properly important key and cert.

Can you try with FTP ?

"crypto import ftp 192.168.30.27 cisco key.pem key.pem"

Is your key a pem file ?

Documentation for key management here :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/ssl/guide/certkeys.html

Gilles.

Re: ACE module - end-to-end SSL

deephazz02 — Mon, 14 Apr 2008 13:10:35 GMT

Hello,

I have a certificate and a key but once imported they failed the verify command.

Actually what I don't understand is what kind of configuration should a I apply for the ACE to behave as a "regular" ssl client.

I imported a cert then generated a key but the key and the cert did not pair (using the crypto verify command)

I am a bit confused with the pocess of generating the key, I thought the creation of the key was a part of the SSL handshake... How could I create a valid key prior to starting a ssl handshake?

Regards,

Thibault.

Re: ACE module - end-to-end SSL

Gilles Dufour — Mon, 14 Apr 2008 13:32:47 GMT

just don't know where to start.

I feel like you do not have the right key/cert.

This would be the very first thing to verify.

Where did you get your key and cert ?

What certificate authority signed your certificate ?

The creation of the session key requires the use of an RSA key pair (private/public).

Every server must have a public and a private key associated with a certificate signed by a certificate authority.

If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.

Maybe you should start be reading on the subject from various article available on the WEB.

openssl is a great tool to generate keys and certficates.

I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.

Then import everything into ACE.

Once you have valid key/cert we can continue with the configuration.

Gilles