Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3739
Views
0
Helpful
4
Replies

Certificate order for SSL ChainGroup on ACE

Go to solution
sez sharp
Level 1
Level 1

‎04-20-2012 08:50 AM

Hi,

Am trying to determine the correct order for listing intermeadiate certs in a  chain group on the ACE

In the URL

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp999546

"Typically, it is not necessary to add the  certificates to the chain group in any type of hierarchical order  because the device that verifies the certificates determines the correct  order. However, some mobile devices may not be able to order the  certificates properly and will display an error message. In this case,  you need to add the certificates to the chain group in the correct  order. "

However I can not find any reference to what is ' the correct  order '

For example for an Thawte SSL cert the chain could include

THAWTE_PREMIUM_SERVER_CA    (normaly in list of browser root CA's but might not be on mobile device)

- THAWTE_PRIMARY_ROOT_CA

    - THAWTE_SSL_CA

       - ISSUED_CERT

So for a mobile devices freindly chaingroup is the correct order "big-endian"

chaingroup THAWTECHAIN

  cert THAWTE_PREMIUM_SERVER_CA.CER

  cert THAWTE_PRIMARY_ROOT_CA.CER

  cert THAWTE_SSL_CA.CER

Or is the correct order "little-endian"

chaingroup THAWTECHAIN

  cert THAWTE_SSL_CA.CER

  cert THAWTE_PRIMARY_ROOT_CA.CER

  cert THAWTE_PREMIUM_SERVER_CA.CER

thanks,

Sez

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ciscocsoc
Level 4
Level 4

‎04-20-2012 09:33 AM

Hi Sez,

The preferred order is:

Issued Cert

Intermediates

Root

HTH

Cathy

View solution in original post

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4
In response to sez sharp

‎04-23-2012 01:22 AM

Only if you use a PKCS12 format file. See

https://supportforums.cisco.com/message/3141328#3141328 for more details.

Cathy

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ciscocsoc
Level 4
Level 4

‎04-20-2012 09:33 AM

Hi Sez,

The preferred order is:

Issued Cert

Intermediates

Root

HTH

Cathy

0 Helpful

Go to solution
sez sharp
Level 1
Level 1
In response to ciscocsoc

‎04-20-2012 09:45 AM

Thanks for the quick answer Cathy

Wwas also wondering if on the ACE you could use a crypto import to import a full PEM cert/key "file"

i.e. a PEM that not only contained the cert/key pair but also all the intermediate and root certs as well

If this crypto import was done to say  MYCERT.PEM  Then on the ACE  ssl-proxy service you could just reference this file and not require a seperate chaingroup listing?  i.e.: -

ssl-proxy service MY-SSL-SERVICE

key MYCERT.PEM

cert MYCERT.PEM

This is was the setup on CSS's - wondering is same true for ACE (but not had op to try out yet)

rgds, Sez

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4
In response to sez sharp

‎04-23-2012 01:22 AM

Only if you use a PKCS12 format file. See

https://supportforums.cisco.com/message/3141328#3141328 for more details.

Cathy

0 Helpful

Go to solution
sez sharp
Level 1
Level 1
In response to ciscocsoc

‎04-23-2012 03:33 AM

Thanks for pointing that one out Cathy

- I had fallen for that old trap of believing the doco which still says PEM only :-)

About time that doco got fixed up if the ACE has always supported PKCS / DER / PEM and we're on f/w ver A5 now...!

thanks again,

Sez

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents