12-12-2011 08:36 AM
Dear All,
We have a CSS11506- in which the internal SSL-certificate is getting expired.
Please revert on the steps for changing with a new certificate.
Should i generate a new csr ?
Thanks ,
Solved! Go to Solution.
12-13-2011 12:22 AM
Hi Mangesh,
Kindly try following steps:
You need the following information to create and upload the CSR:
Country Name (2 letter code)
State or Province (full name)
Locality Name (city) [SomeCity]
Organization Name (company name)
Organizational Unit Name (section) [Web Administration]
Common Name (your domain name) [www.acme.com]
Email address [webadmin@acme.com ]
CSS11500 series switch with Secure Socket Layer (SSL) module
WebNS 7.10 or higher
FTP or Secure FTP (SFTP) server
FTP record configured on the CSS
The information in this document is based on the software and hardware versions below.
CSS11506
WebNS 7.20
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
In this section, you are presented with the information to configure the features described in this document.
Create the public/private key pair. You need to specify number of bits, filename, and a password to protect the public/privite key pair.
CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
Warning this operation could take a while
and can cause your console to not respond
while the operation is ongoing
Do you want to continue?, [y/n]:y
CSS11506(config)#
!--- If you issue the show ssl files command, you will
!--- see that the key pair has been created.
CSS11506(config)# show ssl files
File Name File Type File Size
---------------- --------- ------------
rsa1024.pem PEM 887
Associate the key.
CSS11506(config)# ssl associate rsakey test-ssl rsa1024.pem
!--- test-ssl is the name of the association.
View Associations
CSS11506(config)# show ssl associate
Certificate Name File Name Used by List
---------------- --------- ------------
RSA Key Name File Name Used by List
------------ --------- ------------
test-ssl rsa1024.pem no
DH Param Name File Name Used by List
------------- --------- ------------
DSA Key Name File Name Used by List
------------ --------- ------------
Create the CSR.
CSS11506(config)# ssl gencsr test-ssl !--- test-ssl is the name of the association. CSS11506(config)# ssl gencsr test-ssl !--- You will be asked to enter information !--- that will be incorporated into your certificate !--- request. What you are about to enter is !--- called a Distinguished Name or a DN. !--- For some fields, there will be a default value. !--- If you enter '.', the field will be left blank. Country Name (2 letter code) [US]US State or Province (full name) [SomeState]Massachusetts Locality Name (city) [SomeCity]Boxborough Organization Name (company name) [Acme Inc]Testing SSL Organizational Unit Name (section) [Web Administration]SSL Admin Common Name (your domain name) [www.acme.com]www.testingssl.com Email address [webadmin@acme.com ]webadmin@testingssl.com
Email the CSR to your Certificate Authority (CA).
-----BEGIN CERTIFICATE REQUEST----- MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMRQwEgYDVQQKEwtUZXN0aW5nIFNTTDES MBAGA1UECxMJU1NMIEFkbWluMRswGQYDVQQDExJ3d3cudGVzdGluZ3NzbC5jb20x JjAkBgkqhkiG9w0BCQEWF3dlYmFkbWluQHRlc3Rpbmdzc2wuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCutr3grp8cmfQWvE7fX8T77nsVYJMFePqUkelg trJzy/3Obahhv0KdWbWvpXV0gUE3pNujeywn9VKpqG7Y1III+VWo1fqIT86oC7W5 qqWzECD3qYCbMOjKqcXZ5m0e3Wbamr1Nvn08BiVdDLkmZ64SzDpMTpONiznl0B2F Ryp7CQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAJdrAqE+l380fBJy5bEU6ApLc RVdGVr1C34yWUIYg86ilW3bATebJCHwGpaKHztpHFikaRxJsZno06qOa8iujM6pn IESkSSTnow2xyNaVbAiTZwaND7+D4Ofk/OQA1bE0BFVyMD6KJ0IIQM/5Wv+wNlef FVOv2Cv7yxryu71pmI0= -----END CERTIFICATE REQUEST----- CSS11506(config)#
Upload the certificate to the CSS. Save the the certificate that you receive from your CA as an ASCI file, and upload it to a FTP or SFTP server.
-----BEGIN CERTIFICATE----- MIIDQjCCAuygAwIBAgIQRCMFqA3CWhhqcam90mFtejANBgkqhkiG9w0BAQUFADCB qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTA2MDAwMDAwWhcNMDMw MTIwMjM1OTU5WjCBgTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0 dHMxEzARBgNVBAcUCkJveGJvcm91Z2gxFDASBgNVBAoUC1Rlc3RpbmcgU1NMMRIw EAYDVQQLFAlTU0wgQWRtaW4xGzAZBgNVBAMUEnd3dy50ZXN0aW5nc3NsLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArra94K6fHJn0FrxO31/E++57FWCT BXj6lJHpYLayc8v9zm2oYb9CnVm1r6V1dIFBN6Tbo3ssJ/VSqahu2NSCCPlVqNX6 iE/OqAu1uaqlsxAg96mAmzDoyqnF2eZtHt1m2pq9Tb59PAYlXQy5JmeuEsw6TE6T jYs55dAdhUcqewkCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBC BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVT ZXJ2ZXJUZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYG CCsGAQUFBwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rl c3RDUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB BQUAA0EAsWuz2lWAKRbRqODlnp3TKhsg79F3x6azUE6VaMGDKpNrFCB2AgbcU25D VAysN/47vavtlFGonK2M/hC78pS9kw== -----END CERTIFICATE-----
Copy the certificate to the CSS. SFTP is recommend, however, you can also use FTP.
CSS11506# copy ssl ftp ftpserver import sslcert.pem PEM "system"
!--- sslcert.pem is the certificate file, and system is the password
!--- used when the key pair was created.
CSS11506# show ssl files
File Name File Type File Size
---------------- --------- ------------
rsa1024.pem PEM 887
sslcert.pem PEM 1210 ****new cert****
Associate the certificate.
CSS11506(config)# ssl associate cert test-ssl sslcert.pem
!--- Verify the association.
CSS11506(config)# show ssl associate
Certificate Name File Name Used by List
---------------- --------- ------------
test-ssl sslcert.pem no
RSA Key Name File Name Used by List
------------ --------- ------------
test-ssl rsa1024.pem no
DH Param Name File Name Used by List
------------- --------- ------------
DSA Key Name File Name Used by List
------------ --------- ------------
Please le me know if you have ordered your certificate from 3 rd party vendor say verisign and downloaded it somewhere on your laptop or server then you will need to "copy ssl ftp ..." the new cert file (and key if the cert signing request was not generated in the CSS) into the CSS, then "ssl associate ..." the new cert and key files (in config mode), then update the SSL proxy list config to make use the new ssl files.
For more info kindly refer the following links:
HTH
pls rate
Sachin
12-13-2011 12:22 AM
Hi Mangesh,
Kindly try following steps:
You need the following information to create and upload the CSR:
Country Name (2 letter code)
State or Province (full name)
Locality Name (city) [SomeCity]
Organization Name (company name)
Organizational Unit Name (section) [Web Administration]
Common Name (your domain name) [www.acme.com]
Email address [webadmin@acme.com ]
CSS11500 series switch with Secure Socket Layer (SSL) module
WebNS 7.10 or higher
FTP or Secure FTP (SFTP) server
FTP record configured on the CSS
The information in this document is based on the software and hardware versions below.
CSS11506
WebNS 7.20
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
In this section, you are presented with the information to configure the features described in this document.
Create the public/private key pair. You need to specify number of bits, filename, and a password to protect the public/privite key pair.
CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
Warning this operation could take a while
and can cause your console to not respond
while the operation is ongoing
Do you want to continue?, [y/n]:y
CSS11506(config)#
!--- If you issue the show ssl files command, you will
!--- see that the key pair has been created.
CSS11506(config)# show ssl files
File Name File Type File Size
---------------- --------- ------------
rsa1024.pem PEM 887
Associate the key.
CSS11506(config)# ssl associate rsakey test-ssl rsa1024.pem
!--- test-ssl is the name of the association.
View Associations
CSS11506(config)# show ssl associate
Certificate Name File Name Used by List
---------------- --------- ------------
RSA Key Name File Name Used by List
------------ --------- ------------
test-ssl rsa1024.pem no
DH Param Name File Name Used by List
------------- --------- ------------
DSA Key Name File Name Used by List
------------ --------- ------------
Create the CSR.
CSS11506(config)# ssl gencsr test-ssl !--- test-ssl is the name of the association. CSS11506(config)# ssl gencsr test-ssl !--- You will be asked to enter information !--- that will be incorporated into your certificate !--- request. What you are about to enter is !--- called a Distinguished Name or a DN. !--- For some fields, there will be a default value. !--- If you enter '.', the field will be left blank. Country Name (2 letter code) [US]US State or Province (full name) [SomeState]Massachusetts Locality Name (city) [SomeCity]Boxborough Organization Name (company name) [Acme Inc]Testing SSL Organizational Unit Name (section) [Web Administration]SSL Admin Common Name (your domain name) [www.acme.com]www.testingssl.com Email address [webadmin@acme.com ]webadmin@testingssl.com
Email the CSR to your Certificate Authority (CA).
-----BEGIN CERTIFICATE REQUEST----- MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMRQwEgYDVQQKEwtUZXN0aW5nIFNTTDES MBAGA1UECxMJU1NMIEFkbWluMRswGQYDVQQDExJ3d3cudGVzdGluZ3NzbC5jb20x JjAkBgkqhkiG9w0BCQEWF3dlYmFkbWluQHRlc3Rpbmdzc2wuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCutr3grp8cmfQWvE7fX8T77nsVYJMFePqUkelg trJzy/3Obahhv0KdWbWvpXV0gUE3pNujeywn9VKpqG7Y1III+VWo1fqIT86oC7W5 qqWzECD3qYCbMOjKqcXZ5m0e3Wbamr1Nvn08BiVdDLkmZ64SzDpMTpONiznl0B2F Ryp7CQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAJdrAqE+l380fBJy5bEU6ApLc RVdGVr1C34yWUIYg86ilW3bATebJCHwGpaKHztpHFikaRxJsZno06qOa8iujM6pn IESkSSTnow2xyNaVbAiTZwaND7+D4Ofk/OQA1bE0BFVyMD6KJ0IIQM/5Wv+wNlef FVOv2Cv7yxryu71pmI0= -----END CERTIFICATE REQUEST----- CSS11506(config)#
Upload the certificate to the CSS. Save the the certificate that you receive from your CA as an ASCI file, and upload it to a FTP or SFTP server.
-----BEGIN CERTIFICATE----- MIIDQjCCAuygAwIBAgIQRCMFqA3CWhhqcam90mFtejANBgkqhkiG9w0BAQUFADCB qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTA2MDAwMDAwWhcNMDMw MTIwMjM1OTU5WjCBgTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0 dHMxEzARBgNVBAcUCkJveGJvcm91Z2gxFDASBgNVBAoUC1Rlc3RpbmcgU1NMMRIw EAYDVQQLFAlTU0wgQWRtaW4xGzAZBgNVBAMUEnd3dy50ZXN0aW5nc3NsLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArra94K6fHJn0FrxO31/E++57FWCT BXj6lJHpYLayc8v9zm2oYb9CnVm1r6V1dIFBN6Tbo3ssJ/VSqahu2NSCCPlVqNX6 iE/OqAu1uaqlsxAg96mAmzDoyqnF2eZtHt1m2pq9Tb59PAYlXQy5JmeuEsw6TE6T jYs55dAdhUcqewkCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBC BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVT ZXJ2ZXJUZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYG CCsGAQUFBwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rl c3RDUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB BQUAA0EAsWuz2lWAKRbRqODlnp3TKhsg79F3x6azUE6VaMGDKpNrFCB2AgbcU25D VAysN/47vavtlFGonK2M/hC78pS9kw== -----END CERTIFICATE-----
Copy the certificate to the CSS. SFTP is recommend, however, you can also use FTP.
CSS11506# copy ssl ftp ftpserver import sslcert.pem PEM "system"
!--- sslcert.pem is the certificate file, and system is the password
!--- used when the key pair was created.
CSS11506# show ssl files
File Name File Type File Size
---------------- --------- ------------
rsa1024.pem PEM 887
sslcert.pem PEM 1210 ****new cert****
Associate the certificate.
CSS11506(config)# ssl associate cert test-ssl sslcert.pem
!--- Verify the association.
CSS11506(config)# show ssl associate
Certificate Name File Name Used by List
---------------- --------- ------------
test-ssl sslcert.pem no
RSA Key Name File Name Used by List
------------ --------- ------------
test-ssl rsa1024.pem no
DH Param Name File Name Used by List
------------- --------- ------------
DSA Key Name File Name Used by List
------------ --------- ------------
Please le me know if you have ordered your certificate from 3 rd party vendor say verisign and downloaded it somewhere on your laptop or server then you will need to "copy ssl ftp ..." the new cert file (and key if the cert signing request was not generated in the CSS) into the CSS, then "ssl associate ..." the new cert and key files (in config mode), then update the SSL proxy list config to make use the new ssl files.
For more info kindly refer the following links:
HTH
pls rate
Sachin
12-13-2011 02:18 AM
Thanks a lot Sachinga .. this was so useful .!!
Please do confirm the below syntax,
CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
What is the " System " keyword used in the above syntax ? is it the password ?
Also do we need to delete the old ssl cert files ?
Pls revert .
thanks
12-13-2011 03:10 AM
Mangesh,
You are right.
"system" in double quotes is password.
To display a list of existing certificate files, use the show crypto files command in Exec mode.
For example, to display the list of certificate and key pair files, enter:
host1/Admin# show crypto files
Kindly refer
You can delete certificate and key pair files that are no longer valid by using the crypto delete command in Exec command mode. Because the ACE module does not overwrite existing certificate or key pair files, deleting the file allows you to import an updated file.
The syntax of this command is as follows:
crypto delete {filename | all}
The keywords and arguments are as follows:
•filename—Name of a specific certificate or key pair file to delete. Enter an unquoted alphanumeric string with a maximum of 40 characters.
•all—Deletes all of the certificate and key pair files from the context.
To display a list of available certificate and key pair files loaded on the ACE, use the show crypto files command.
Note The crypto delete command deletes the specified context crypto files from flash memory; however, existing SSL services are not interrupted. If you do not replace the deleted SSL files, the SSL services are disabled the next time that you enter the vip inservice command or when a device reload occurs.
For example, to delete the key pair file MYRSAKEY.PEM, enter:
host1/Admin# crypto delete MYRASKEY.PEM
HTH
Sachin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide