Solved: Cisco SSL Services Module (on 6500)

emresumengen · ‎07-22-2012

Hi all,

A customer has asked me a few questions on an SSL Services Module they have (that we haven't sold and have little experience with). I've been reading the documents, but I have some questions and things to verify...

As I can understand, they already have services and trustpoints configured on the module, but with certificates created with a previously-existing internal AD-integrated CA. Now, they want to switch their services to run a certificate they've obtained from a legitimate CA.

1) They are trying to import the new certificate with copy-paste method, through the terminal. As far as I can see, both the server certificate and the CA certificate issuing the server cert. should be in base64 encoded for this to work, right? Or, can we import somehow PKCS or PEM certs thorough the terminal?

2) They would like to use a wildcard certificate for a few of their servers/services they publish. (Like, instead of getting 3 different certificates for service1.domain.com, service2.domain.com and service3.domain.com, they'd like a certificate for *.domain.com which would work for all of the 3 services.) Is this possible? Should they need to change their configuration? (Now I understand that they have different trustpoints, certificates and service configurations for each of the servers...)

I'd really like if some good soul with experience could shed a little light on this...

Or, any leads on documentation (that I may have missed) would also be appreciated.

Thanks in advance,

Emre

chrhiggi · ‎08-10-2012

Good day Emre-

For question 1 - You can import PEM base64 certificates via the terminal only, all other types need to be loaded over tftp/sftp/ftp.

For question 2 - There is nothing special about how the SSLM handles the Issed To field in a certificate, it doesn't matter if it is specifc or wildcard. Multi domain certificates are also ok (using a Subject Alternative Name field.) The only thing I can think of here in terms of a difference is you might have less trustpoints and configuration on you SSLM since you no longer require multiple server certificates.

Outiside of your direct questions, make sure you upload the root and intermediate(s) into the SSLM. It has to be able to complete the SSL chain from server to root in order to operate.

Regards,

Chris Higgins

View solution in original post

chrhiggi · ‎08-10-2012

Good day Emre-

For question 1 - You can import PEM base64 certificates via the terminal only, all other types need to be loaded over tftp/sftp/ftp.

For question 2 - There is nothing special about how the SSLM handles the Issed To field in a certificate, it doesn't matter if it is specifc or wildcard. Multi domain certificates are also ok (using a Subject Alternative Name field.) The only thing I can think of here in terms of a difference is you might have less trustpoints and configuration on you SSLM since you no longer require multiple server certificates.

Outiside of your direct questions, make sure you upload the root and intermediate(s) into the SSLM. It has to be able to complete the SSL chain from server to root in order to operate.

Regards,

Chris Higgins

emresumengen · ‎08-11-2012

Hi Christopher,

Thank you for the information...

I've solved the problems by;

1) Converted the cert file into base64 by using Windows (interestingly Windows/IE certificate viewer has an option to save the certificate with the format you select... Nice). Then we could import it into SSLM.

2) Yes, I now know that's the case... We have succesfully imported a wildcard cert, with only a slight change in Subject Name fields... (But I believe that's related to the CA's requirements.)

And yes, of course we imported the CA cert...

Anyways, thanks again, the customer is working happily now