03-16-2009 05:08 AM
When I try to configure ssl-proxy server i get error message as below.
Advice will be greatly appriciated.
GIN/Admin(config-pmap-c)# ssl-proxy server <name>
Error: ssl-proxy doesn't have a valid key/cert, cannot use it.
gin_cert.PEM:
Subject: <.............htt>
<ps://www.............Class 3 Secure Server CA>
<Issuer: ...............OU=Class 3 Public Primary Certification Authority>
Not Before: Jan 19 00:00:00 2005 GMT
Not After: Jan 18 23:59:59 2015 GMT
CA Cert: TRUE
gin_sa.PEM:
Subject: <..............imap...>
Issuer: <.......................http>
<s://.............................. Class 3 Secure Server CA>
Not Before: Mar 5 00:00:00 2009 GMT
Not After: Mar 5 23:59:59 2011 GMT
CA Cert: FALSE
The above two certs are chained, and sh command for key files displays some text, apparently indicating key file is ok.
03-16-2009 08:06 AM
Hi,
The SSL should be defined with the following syntax
ssl-proxy service <_NAME_>
key MY_KEY.PEM
cert MY_CERT.crt
ssl advanced-options SSL_PARAMS
exit
where MY_CERT's csr was generated from MY_KEY
Regards
03-16-2009 09:04 AM
Luther,
I'm trying to configure chaingroup as I have an intermediate certificate to add to the configs.
I noticed, even with terminal copy/paste method, i needed the original passphrase for key.PEM file. should i include the passphrase with root and intermediate .PEM files?
and is there a special way to apply chaingroup. as I write i noticed that I should not include the root file within chain group. only the intermediate file in the chain group.
Further, we did not use the ACE to generate CSR. Should I configure the CSR values to ACE too, or the key and root and intermediate files would have that information already.
for SSL termination.
any pointers to a sample configs with chaingroup and SSL termination would help.
Kind regards
Sinnathurai
03-17-2009 03:17 AM
Go from simple config to more complex.
You don't need the chaingroup initially.
So, just configure the key and your cert under the ssl-proxy.
See if that works.
Then, configure a chaingroup and add it to your existing config.
Gilles.
07-11-2011 08:05 AM
Hello Gilles,
once I verified the key/cert pair on the ssl-proxy service works properly, do you think the error is in the Root Certificate of the chaingroup?
Thank you
Max
07-12-2011 03:47 AM
Hi Max,
How you imported your certificate? Is it PKCS12 format or you imported each file separately? Have you verified the cert and the key files?
The group chain is needed when you have intermediate certificate so the ACE will send the client both the
intermediatecert and the root cert, and you need to apply it under the ssl-proxy service, but this should not cause the error message you are getting. If you have intermediate cert and you did not apply the chain group under the ssl-proxy service your clients will still be able to connect but they will be getting certificate error, and if they accept the cert they will connect. So my advice is not to jump on the group chain issue and make sure you have the correct certs.
Best regards,
Ahmad
07-12-2011 07:34 AM
Hi Ahmad, thank you for your help, first.
I imported both CA root certificate (let's call it rootcert) and my certificate (mycert) via terminal separately, because I was unable to merge them in a single file (as I always done with CSS). So I created a chaingroup (mychain):
crypto chaingroup mychain
cert mycert
cert rootcert
mycert and its key (mykey) match
If I use mycert and mykey in the ssl-proxy service, I get the warning message on the browser because the client cannot find the CA certificate.
If I configure the ssl-proxy service this way:
ssl-proxy service test
key mykey
chaingroup mychain
I get the error above after the "chaingroup" statement.
The rootcert I imported is the one I always used with my old CSS, without problems.
Any help will be appreciated. If you can suggest how to merge CA root certificate and my certificate in a single file I'll be happy to leave the chaingroup method. I always put the root certificate before my certificate
Regards,
Max.
07-12-2011 07:52 AM
Hi Max,
Remove your "mycert" from the chaingroup configuration and keep only the root certificate, then add it under the ssl-proxy service.
Ex:
crypto chaingroup mychain
cert rootcert
ssl-proxy service test
key mykey
cert mycert
no chaingroup mychain
chaingroup mychain
Then test the functionality.
Best regards,
Ahmad
07-12-2011 08:00 AM
Hi Ahmad,
Thank you very much, so I got where I was wrong. Now it accepts my statements.
Once I'll be able to test the service I'll post my feedback here.
Thank you again
Max
07-14-2011 03:43 AM
Hi Ahmad,
I can confirm the chaingroup you suggested works great!
Thank you so much for your help.
Max
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide