Solved: Re: Configuring SSL termination on ACE

new_networker · ‎09-19-2008

Hi,

Can someone explain what is SSL proxy service used for.

Also, please give a one liner description of the below entries.

ssl-proxy service PSERVICE_SERVER

key ACEKEY.PEM

cert ACEIDM-CERT.PEM

chaingroup CISCOSSLCA-group

ssl advanced-options PARAMMAP_SSL

Lastly, why is PEM extension used for certificate. Can other extensions be used as well like CER etc.

Thanks.

Syed Iftekhar Ahmed · ‎10-22-2008

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

http://www.petefreitag.com/item/16.cfm

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎09-19-2008

SSL proxy server is used to define the server certs, Intermediate certs (if any - using chaingroup) and RSA Key pairs that should be used to Offload SSL.

Following will be the line by line description

key ACEKEY.PEM <-- Use ACEKEY.PEM named RSA key to offload request

cert ACEIDM-CERT.PEM <-- USe this server certificate to offload SSL request

chaingroup CISCOSSLCA-group <-- Use this chain group to complete Cert chain. This cahin group is configured seperately and it carries all the intermediate certs needed to complete the certificate chain.

ssl advanced-options PARAMMAP_SSL <- This SSL type parameter map is also created seperately and it include the supported SSL version and SSL ciphers

If you don't use SSL type parameter type then by default ACE supports all ciphers & all SSL versions.

ACE supports PEM, DER & PKCS12 formats. You can use any extensions as long as the certs follow one of the above mentioned standards.

Syed

new_networker · ‎09-20-2008

Ok.

If we were to use an SSL certificate on ACE module for lets say six months and then we replace the ACE module. Can the same certificate be used in the newly installed ACE module or would a new SSL certificate be required.

Thanks.

Syed Iftekhar Ahmed · ‎09-20-2008

No worries..

You can export the RSA keypair and Certificates from one ACE and can import it to another ACE.

Syed

new_networker · ‎09-22-2008

In reference to your previous post, does SSL proxy service need to be a dedicated server required to hold the server certificates.

Syed Iftekhar Ahmed · ‎09-22-2008

Its just a configuration object defined on ACE that holds the relevant SSL objects (cert,key,cert chain, allowed ciphers..). You can have multiple SSL proxy services that can be used by ACE to offload traffic for different applications.

Syed

new_networker · ‎10-22-2008

Hi,

Once I generate the key, how can I list it in the ACE file system.

I believe the key will be added from the local file system on ACE.

Also, it is ok that the key is in PEM format and the Certificate is in DER format.

Syed Iftekhar Ahmed · ‎10-22-2008

show crypto files

will show you all keys & certs on ACE.

Using openssl you can easily convert pem-->DER and vice versa.

Syed Iftekhar Ahmed

new_networker · ‎10-22-2008

Would you know whether MS IIS - Certificate Authority supports PEM format.

I can only see PKCS and DER.

Syed Iftekhar Ahmed · ‎10-22-2008

I dont think PEM is supported on IIS.

But you can easily convert these to PEM using open ssl.

Following link will give you the needed steps

http://www.petefreitag.com/item/16.cfm

Syed Iftekhar Ahmed