topic Certificate order for SSL ChainGroup on ACE in Application Networking

Certificate order for SSL ChainGroup on ACE

sez sharp — Fri, 20 Apr 2012 15:50:16 GMT

Hi,

Am trying to determine the correct order for listing intermeadiate certs in a chain group on the ACE

In the URL

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp999546

"Typically, it is not necessary to add the certificates to the chain group in any type of hierarchical order because the device that verifies the certificates determines the correct order. However, some mobile devices may not be able to order the certificates properly and will display an error message. In this case, you need to add the certificates to the chain group in the correct order. "

However I can not find any reference to what is ' the correct order '

For example for an Thawte SSL cert the chain could include

THAWTE_PREMIUM_SERVER_CA (normaly in list of browser root CA's but might not be on mobile device)

- THAWTE_PRIMARY_ROOT_CA

- THAWTE_SSL_CA

- ISSUED_CERT

So for a mobile devices freindly chaingroup is the correct order "big-endian"

chaingroup THAWTECHAIN

cert THAWTE_PREMIUM_SERVER_CA.CER

cert THAWTE_PRIMARY_ROOT_CA.CER

cert THAWTE_SSL_CA.CER

Or is the correct order "little-endian"

chaingroup THAWTECHAIN

cert THAWTE_SSL_CA.CER

cert THAWTE_PRIMARY_ROOT_CA.CER

cert THAWTE_PREMIUM_SERVER_CA.CER

thanks,

Sez

Certificate order for SSL ChainGroup on ACE

ciscocsoc — Fri, 20 Apr 2012 16:33:08 GMT

Hi Sez,

The preferred order is:

Issued Cert

Intermediates

Root

HTH

Cathy

Certificate order for SSL ChainGroup on ACE

sez sharp — Fri, 20 Apr 2012 16:45:15 GMT

Thanks for the quick answer Cathy

Wwas also wondering if on the ACE you could use a crypto import to import a full PEM cert/key "file"

i.e. a PEM that not only contained the cert/key pair but also all the intermediate and root certs as well

If this crypto import was done to say MYCERT.PEM Then on the ACE ssl-proxy service you could just reference this file and not require a seperate chaingroup listing? i.e.: -

ssl-proxy service MY-SSL-SERVICE

key MYCERT.PEM

cert MYCERT.PEM

This is was the setup on CSS's - wondering is same true for ACE (but not had op to try out yet)

rgds, Sez

Certificate order for SSL ChainGroup on ACE

ciscocsoc — Mon, 23 Apr 2012 08:22:59 GMT

Only if you use a PKCS12 format file. See

https://supportforums.cisco.com/message/3141328#3141328 for more details.

Cathy

Certificate order for SSL ChainGroup on ACE

sez sharp — Mon, 23 Apr 2012 10:33:24 GMT

Thanks for pointing that one out Cathy

- I had fallen for that old trap of believing the doco which still says PEM only 🙂

About time that doco got fixed up if the ACE has always supported PKCS / DER / PEM and we're on f/w ver A5 now...!

thanks again,

Sez