04-20-2012 08:50 AM
Hi,
Am trying to determine the correct order for listing intermeadiate certs in a chain group on the ACE
In the URL
"Typically, it is not necessary to add the certificates to the chain group in any type of hierarchical order because the device that verifies the certificates determines the correct order. However, some mobile devices may not be able to order the certificates properly and will display an error message. In this case, you need to add the certificates to the chain group in the correct order. "
However I can not find any reference to what is ' the correct order '
For example for an Thawte SSL cert the chain could include
THAWTE_PREMIUM_SERVER_CA (normaly in list of browser root CA's but might not be on mobile device)
- THAWTE_PRIMARY_ROOT_CA
- THAWTE_SSL_CA
- ISSUED_CERT
So for a mobile devices freindly chaingroup is the correct order "big-endian"
chaingroup THAWTECHAIN
cert THAWTE_PREMIUM_SERVER_CA.CER
cert THAWTE_PRIMARY_ROOT_CA.CER
cert THAWTE_SSL_CA.CER
Or is the correct order "little-endian"
chaingroup THAWTECHAIN
cert THAWTE_SSL_CA.CER
cert THAWTE_PRIMARY_ROOT_CA.CER
cert THAWTE_PREMIUM_SERVER_CA.CER
thanks,
Sez
Solved! Go to Solution.
04-20-2012 09:33 AM
04-23-2012 01:22 AM
Only if you use a PKCS12 format file. See
https://supportforums.cisco.com/message/3141328#3141328 for more details.
Cathy
04-20-2012 09:33 AM
Hi Sez,
The preferred order is:
Issued Cert
Intermediates
Root
HTH
Cathy
04-20-2012 09:45 AM
Thanks for the quick answer Cathy
Wwas also wondering if on the ACE you could use a crypto import to import a full PEM cert/key "file"
i.e. a PEM that not only contained the cert/key pair but also all the intermediate and root certs as well
If this crypto import was done to say MYCERT.PEM Then on the ACE ssl-proxy service you could just reference this file and not require a seperate chaingroup listing? i.e.: -
ssl-proxy service MY-SSL-SERVICE
key MYCERT.PEM
cert MYCERT.PEM
This is was the setup on CSS's - wondering is same true for ACE (but not had op to try out yet)
rgds, Sez
04-23-2012 01:22 AM
Only if you use a PKCS12 format file. See
https://supportforums.cisco.com/message/3141328#3141328 for more details.
Cathy
04-23-2012 03:33 AM
Thanks for pointing that one out Cathy
- I had fallen for that old trap of believing the doco which still says PEM only :-)
About time that doco got fixed up if the ACE has always supported PKCS / DER / PEM and we're on f/w ver A5 now...!
thanks again,
Sez
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: