topic Re: SSL proxy using p12 certificate file in Application Networking

SSL proxy using p12 certificate file

liangzheng — Mon, 04 Oct 2010 15:39:37 GMT

Hi,

I am configuring SSL termination for a e-commence site. The only certificate and key file for the site is in .p12 format. I have successfully imported the file in ACE context:

Tor-ACE/StagingFrontEnd-LB# sh crypto files

Filename                                 File File    Expor      Key/
                                         Size Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                      5066 PKCS12 No         BOTH

Tor-ACE/StagingFrontEnd-LB#

However, when I configured this cert and key in SSL proxy service, the SSL proxy server didn't work. When I change the cert and key file to cisco sample file, it was working.

Any help will be appreciated.

James

Re: SSL proxy using p12 certificate file

cpomeroy — Mon, 04 Oct 2010 15:44:46 GMT

James,

In order for the ACE to terminate SSL, the certs/key need to be in PEM format. Please see the attached configuration guide for SSL.

Thanks

Chris

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/certkeys.html#wp1052415

Re: SSL proxy using p12 certificate file

Pablo — Mon, 04 Oct 2010 20:33:39 GMT

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
key secure.seOOOO.ca.p12
cert secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:

switch/Admin# show crypto file
Filename                                 File File    Expor      Key/
                                         Size Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066 PKCS12 No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo

Re: SSL proxy using p12 certificate file

liangzheng — Mon, 04 Oct 2010 21:01:09 GMT

Thanks guys,

I got it work. The ACE does accept p12 certificate and key file. It was some configuration problem on web servers. I also have tried use openssl command to convert p12 to pem format and applied them in to ACE. it works either way.

James