Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5109
Views
0
Helpful
4
Replies

ACE SSL certificate renewal

Go to solution
rjuchta
Level 1
Level 1

‎10-11-2011 05:15 AM

Hello,

Is it possible to renew SSL certificate on ACE without SSL offloading service interruption? Can i just swap certificate files, and expect ACE to pick up new certificates without removing ssl proxy-server and reapplying it to policy-map?

thanks,

WM

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sivaksiv
Cisco Employee
Cisco Employee

‎10-12-2011 02:10 AM

Hi,

I guess the new ACE software supports graceful cert renewal, wherein the new conns 
will take the new cert while the existing conns will still be served from the old cert.

-
Siva

View solution in original post

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎10-12-2011 03:43 AM

I agree with Siva.

You can follow:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/certkeys.html#wp1061898

Following is from the above link:

Upgrading an SSL Certificate

To upgrade an SSL certificate without disrupting active SSL sessions or pending SSL sessions, use the following steps:

Step 1 Import the new SSL certificate using the crypto import command in Exec mode and save it with a new name. See the "Importing Certificate and Key Pair Files" section. For example, to import a certificate from an SFTP server, enter the following command:

host1/Admin# crypto import non-exportable sftp 1.1.1.1 JOESMITH 
/USR/CERTS/MY_CERT.PEM MY_NEW_CERT.PEM


Password: ********


Passive mode on.


Hash mark printing on (1024 bytes/hash mark).


#


Successfully imported file from remote server.


host1/Admin#

Step 2 While the SSL proxy service is actively processing flows, change the certificate file association within the SSL proxy service to the new certificate by using the cert command in SSL proxy configuration mode. See the "Specifying the Certificate" section in Chapter 3, Configuring SSL Termination.

For example, to associate the certificate in the MY_NEW_CERT.PEM certificate file with the PSERVICE_SERVER SSL proxy service, enter the following commands:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER


host1/Admin(config-ssl-proxy)# cert MY_NEW_CERT.PEM

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎10-12-2011 01:18 AM

I dont think it is possible. You should disable SSL and then reenable it after putting  the new cert.

0 Helpful

Go to solution
sivaksiv
Cisco Employee
Cisco Employee

‎10-12-2011 02:10 AM

Hi,

I guess the new ACE software supports graceful cert renewal, wherein the new conns 
will take the new cert while the existing conns will still be served from the old cert.

-
Siva

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎10-12-2011 03:43 AM

I agree with Siva.

You can follow:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/certkeys.html#wp1061898

Following is from the above link:

Upgrading an SSL Certificate

To upgrade an SSL certificate without disrupting active SSL sessions or pending SSL sessions, use the following steps:

Step 1 Import the new SSL certificate using the crypto import command in Exec mode and save it with a new name. See the "Importing Certificate and Key Pair Files" section. For example, to import a certificate from an SFTP server, enter the following command:

host1/Admin# crypto import non-exportable sftp 1.1.1.1 JOESMITH 
/USR/CERTS/MY_CERT.PEM MY_NEW_CERT.PEM


Password: ********


Passive mode on.


Hash mark printing on (1024 bytes/hash mark).


#


Successfully imported file from remote server.


host1/Admin#

Step 2 While the SSL proxy service is actively processing flows, change the certificate file association within the SSL proxy service to the new certificate by using the cert command in SSL proxy configuration mode. See the "Specifying the Certificate" section in Chapter 3, Configuring SSL Termination.

For example, to associate the certificate in the MY_NEW_CERT.PEM certificate file with the PSERVICE_SERVER SSL proxy service, enter the following commands:

host1/Admin(config)# ssl-proxy service PSERVICE_SERVER


host1/Admin(config-ssl-proxy)# cert MY_NEW_CERT.PEM
0 Helpful

Go to solution
rjuchta
Level 1
Level 1
In response to ajayku2

‎10-12-2011 04:03 AM

Many thanks guys, we'll think about upgrading our ACE's.

WM

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card