Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
3
Replies

ACE WAF - intermediate certificate

Go to solution
Martin Kyrc
Level 3
Level 3

‎12-14-2012 01:33 AM

Hello,

I have SSL terminated on ACE WAF. New certificate for service is generated with intermediate certificate and for clients is untrusted. Is it possible import CA chain for intermediate certificate on WAF (how?) or is it not possible? I can't find no information about intermediate cert chain import on WAF.

WAF version: 6.0.3

--

martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Fournier
Cisco Employee
Cisco Employee

‎12-17-2012 11:16 AM

Hi Martin,

You should be able to import the root/intermediate certificates from Resources > Trusted Certificate Authorities.

Once it is done, the WAF should automagically add them to the chain once a client connect.

In case it does not, this is most then likely due to the following bug:

CSCsx19437    If "SSLVerifyClient" global setting is set to "none", an AXG acting.

Apply the workaround described in the release note of the bug and it will hopefully work:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx19437

Other option would be to go to 6.1.1 where it is fixed.

Regards,

Nicolas

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nicolas Fournier
Cisco Employee
Cisco Employee

‎12-17-2012 11:16 AM

Hi Martin,

You should be able to import the root/intermediate certificates from Resources > Trusted Certificate Authorities.

Once it is done, the WAF should automagically add them to the chain once a client connect.

In case it does not, this is most then likely due to the following bug:

CSCsx19437    If "SSLVerifyClient" global setting is set to "none", an AXG acting.

Apply the workaround described in the release note of the bug and it will hopefully work:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx19437

Other option would be to go to 6.1.1 where it is fixed.

Regards,

Nicolas

0 Helpful

Go to solution
Martin Kyrc
Level 3
Level 3
In response to Nicolas Fournier

‎12-18-2012 01:45 AM

Thank you Nicolas for reply. I have uploaded all necessary 'Trusted Certificate Authority'. Where can I find 'SSLVerifyClient' settings?

regards,

Martin

0 Helpful

Go to solution
Martin Kyrc
Level 3
Level 3
In response to Nicolas Fournier

‎12-18-2012 02:37 AM

Nicolas,

thank you for tip with SSLVerifyClient (I found it in configuration). Now it is working. Thank you!

--

martin

0 Helpful
Customers Also Viewed These Support Documents