cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
3
Replies

CSS11506-SSL-certificate getting expired

Magesh G.
Level 1
Level 1

Dear All,

We have a CSS11506- in which the internal SSL-certificate is getting expired.

Please revert on the steps for changing with a new certificate.

Should i generate a new csr ?

Thanks ,

1 Accepted Solution

Accepted Solutions

sachinga.hcl
Level 4
Level 4

Hi Mangesh,

Kindly try following steps:

Prerequisites

You need the following information to create and upload the CSR:

  • Country Name (2 letter code)

  • State or Province (full name)

  • Locality Name (city) [SomeCity]

  • Organization Name (company name)

  • Organizational Unit Name (section) [Web Administration]

  • Common Name (your domain name) [www.acme.com]

  • Email address [webadmin@acme.com ]

  • CSS11500 series switch with Secure Socket Layer (SSL) module

  • WebNS 7.10 or higher

  • FTP or Secure FTP (SFTP) server

  • FTP record configured on the CSS

Components Used

The information in this document is based on the software and hardware versions below.

  • CSS11506

  • WebNS 7.20

The information presented in this document was created from devices  in a specific lab environment. All of the devices used in this document  started with a cleared (default) configuration. If you are working in a  live network, ensure that you understand the potential impact of any  command before using it.

Create A Certificate Signing Request on the CSS11500

Step-by-Step Instructions

In this section, you are presented with the information to configure the features described in this document.

  1. Create the public/private key pair. You need to specify number of  bits, filename, and a password to protect the public/privite key pair.

    CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
    Warning this operation could take a while 
    and can cause your console to not respond 
    while the operation is ongoing 
    
    Do you want to continue?, [y/n]:y 
    CSS11506(config)# 
    
    
    
    !--- If you issue the show ssl files command, you will 
    !--- see that the key pair has been created.
     
    
    CSS11506(config)# show ssl files 
     File Name                       File Type File Size 
     ----------------                --------- ------------ 
      rsa1024.pem                     PEM        887 
    
  2. Associate the key.

    CSS11506(config)# ssl associate rsakey test-ssl rsa1024.pem  
    
    
    !--- test-ssl is the name of the association.
    
    
    View Associations 
    CSS11506(config)# show ssl associate 
     Certificate Name                File Name                       Used by List 
     ----------------                ---------                       ------------ 
    
     RSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
     test-ssl                         rsa1024.pem                           no 
    
     DH Param Name                   File Name                       Used by List 
     -------------                   ---------                       ------------ 
    
     DSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
    
    
  3. Create the CSR.

    CSS11506(config)# ssl gencsr test-ssl  
    
    
    
    !--- test-ssl is the name of the association.
    
    CSS11506(config)# ssl gencsr test-ssl 
    
    
    !--- You will be asked to enter information 
    !--- that will be incorporated into your certificate 
    !--- request. What you are about to enter is 
    !--- called a Distinguished Name or a DN. 
    !--- For some fields, there will be a default value. 
    !--- If you enter '.', the field will be left blank. 
    
    
    Country Name (2 letter code) [US]US 
    State or Province (full name) [SomeState]Massachusetts 
    Locality Name (city) [SomeCity]Boxborough 
    Organization Name (company name) [Acme Inc]Testing SSL 
    Organizational Unit Name (section) [Web Administration]SSL Admin 
    Common Name (your domain name) [www.acme.com]www.testingssl.com 
    Email address [webadmin@acme.com ]webadmin@testingssl.com 
    
  4. Email the CSR to your Certificate Authority (CA).

    -----BEGIN CERTIFICATE REQUEST----- 
    MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl 
    dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMRQwEgYDVQQKEwtUZXN0aW5nIFNTTDES 
    MBAGA1UECxMJU1NMIEFkbWluMRswGQYDVQQDExJ3d3cudGVzdGluZ3NzbC5jb20x 
    JjAkBgkqhkiG9w0BCQEWF3dlYmFkbWluQHRlc3Rpbmdzc2wuY29tMIGfMA0GCSqG 
    SIb3DQEBAQUAA4GNADCBiQKBgQCutr3grp8cmfQWvE7fX8T77nsVYJMFePqUkelg 
    trJzy/3Obahhv0KdWbWvpXV0gUE3pNujeywn9VKpqG7Y1III+VWo1fqIT86oC7W5 
    qqWzECD3qYCbMOjKqcXZ5m0e3Wbamr1Nvn08BiVdDLkmZ64SzDpMTpONiznl0B2F 
    Ryp7CQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAJdrAqE+l380fBJy5bEU6ApLc 
    RVdGVr1C34yWUIYg86ilW3bATebJCHwGpaKHztpHFikaRxJsZno06qOa8iujM6pn 
    IESkSSTnow2xyNaVbAiTZwaND7+D4Ofk/OQA1bE0BFVyMD6KJ0IIQM/5Wv+wNlef 
    FVOv2Cv7yxryu71pmI0= 
    -----END CERTIFICATE REQUEST----- 
    
    CSS11506(config)# 
  5. Upload the certificate to the CSS. Save the the certificate that you  receive from your CA as an ASCI file, and upload it to a FTP or SFTP  server.

    -----BEGIN CERTIFICATE----- 
    MIIDQjCCAuygAwIBAgIQRCMFqA3CWhhqcam90mFtejANBgkqhkiG9w0BAQUFADCB 
    qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu 
    LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU 
    RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s 
    eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTA2MDAwMDAwWhcNMDMw 
    MTIwMjM1OTU5WjCBgTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0 
    dHMxEzARBgNVBAcUCkJveGJvcm91Z2gxFDASBgNVBAoUC1Rlc3RpbmcgU1NMMRIw 
    EAYDVQQLFAlTU0wgQWRtaW4xGzAZBgNVBAMUEnd3dy50ZXN0aW5nc3NsLmNvbTCB 
    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArra94K6fHJn0FrxO31/E++57FWCT 
    BXj6lJHpYLayc8v9zm2oYb9CnVm1r6V1dIFBN6Tbo3ssJ/VSqahu2NSCCPlVqNX6 
    iE/OqAu1uaqlsxAg96mAmzDoyqnF2eZtHt1m2pq9Tb59PAYlXQy5JmeuEsw6TE6T 
    jYs55dAdhUcqewkCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBC 
    BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVT 
    ZXJ2ZXJUZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYG 
    CCsGAQUFBwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rl 
    c3RDUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB 
    BQUAA0EAsWuz2lWAKRbRqODlnp3TKhsg79F3x6azUE6VaMGDKpNrFCB2AgbcU25D 
    VAysN/47vavtlFGonK2M/hC78pS9kw== 
    -----END CERTIFICATE----- 

    Copy the certificate to the CSS. SFTP is recommend, however, you can also use FTP.

    CSS11506# copy ssl ftp ftpserver import sslcert.pem PEM "system"  
    
    
    !--- sslcert.pem is the certificate file, and system is the password 
    !--- used when the key pair was created. 
    
      
    CSS11506# show ssl files 
     File Name                       File Type File Size 
     ----------------                --------- ------------ 
     rsa1024.pem                     PEM        887 
     sslcert.pem                     PEM        1210 ****new cert**** 
    
    
  6. Associate the certificate.

     CSS11506(config)# ssl associate cert test-ssl sslcert.pem 
    
    
    
     !--- Verify the association.
    
    
     CSS11506(config)# show ssl associate 
     Certificate Name                File Name                       Used by List 
     ----------------                ---------                       ------------ 
     test-ssl                       sslcert.pem                           no 
    
     RSA Key Name                    File Name                       Used by List 
     ------------                   ---------                       ------------ 
     test-ssl                        rsa1024.pem                           no 
    
     DH Param Name                   File Name                       Used by List 
     -------------                   ---------                       ------------ 
    
     DSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
    

Please le me know if you have ordered your certificate from 3 rd party vendor say verisign and downloaded it somewhere on your laptop or server then you will need to "copy ssl ftp ..." the new cert file (and key if the  cert signing request was not generated in the CSS) into the CSS, then  "ssl associate ..." the new cert and key files (in config mode), then  update the SSL proxy list config to make use the new ssl files.

For more info kindly refer the following links:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/certkeys.html

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801ffdcb.shtml

http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_How_to_Configure_the_Load_Balancer_for_Redundancy#How_to_Update_the_CA-Signed_Security_Certificates

HTH

pls rate

Sachin

View solution in original post

3 Replies 3

sachinga.hcl
Level 4
Level 4

Hi Mangesh,

Kindly try following steps:

Prerequisites

You need the following information to create and upload the CSR:

  • Country Name (2 letter code)

  • State or Province (full name)

  • Locality Name (city) [SomeCity]

  • Organization Name (company name)

  • Organizational Unit Name (section) [Web Administration]

  • Common Name (your domain name) [www.acme.com]

  • Email address [webadmin@acme.com ]

  • CSS11500 series switch with Secure Socket Layer (SSL) module

  • WebNS 7.10 or higher

  • FTP or Secure FTP (SFTP) server

  • FTP record configured on the CSS

Components Used

The information in this document is based on the software and hardware versions below.

  • CSS11506

  • WebNS 7.20

The information presented in this document was created from devices  in a specific lab environment. All of the devices used in this document  started with a cleared (default) configuration. If you are working in a  live network, ensure that you understand the potential impact of any  command before using it.

Create A Certificate Signing Request on the CSS11500

Step-by-Step Instructions

In this section, you are presented with the information to configure the features described in this document.

  1. Create the public/private key pair. You need to specify number of  bits, filename, and a password to protect the public/privite key pair.

    CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
    Warning this operation could take a while 
    and can cause your console to not respond 
    while the operation is ongoing 
    
    Do you want to continue?, [y/n]:y 
    CSS11506(config)# 
    
    
    
    !--- If you issue the show ssl files command, you will 
    !--- see that the key pair has been created.
     
    
    CSS11506(config)# show ssl files 
     File Name                       File Type File Size 
     ----------------                --------- ------------ 
      rsa1024.pem                     PEM        887 
    
  2. Associate the key.

    CSS11506(config)# ssl associate rsakey test-ssl rsa1024.pem  
    
    
    !--- test-ssl is the name of the association.
    
    
    View Associations 
    CSS11506(config)# show ssl associate 
     Certificate Name                File Name                       Used by List 
     ----------------                ---------                       ------------ 
    
     RSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
     test-ssl                         rsa1024.pem                           no 
    
     DH Param Name                   File Name                       Used by List 
     -------------                   ---------                       ------------ 
    
     DSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
    
    
  3. Create the CSR.

    CSS11506(config)# ssl gencsr test-ssl  
    
    
    
    !--- test-ssl is the name of the association.
    
    CSS11506(config)# ssl gencsr test-ssl 
    
    
    !--- You will be asked to enter information 
    !--- that will be incorporated into your certificate 
    !--- request. What you are about to enter is 
    !--- called a Distinguished Name or a DN. 
    !--- For some fields, there will be a default value. 
    !--- If you enter '.', the field will be left blank. 
    
    
    Country Name (2 letter code) [US]US 
    State or Province (full name) [SomeState]Massachusetts 
    Locality Name (city) [SomeCity]Boxborough 
    Organization Name (company name) [Acme Inc]Testing SSL 
    Organizational Unit Name (section) [Web Administration]SSL Admin 
    Common Name (your domain name) [www.acme.com]www.testingssl.com 
    Email address [webadmin@acme.com ]webadmin@testingssl.com 
    
  4. Email the CSR to your Certificate Authority (CA).

    -----BEGIN CERTIFICATE REQUEST----- 
    MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl 
    dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMRQwEgYDVQQKEwtUZXN0aW5nIFNTTDES 
    MBAGA1UECxMJU1NMIEFkbWluMRswGQYDVQQDExJ3d3cudGVzdGluZ3NzbC5jb20x 
    JjAkBgkqhkiG9w0BCQEWF3dlYmFkbWluQHRlc3Rpbmdzc2wuY29tMIGfMA0GCSqG 
    SIb3DQEBAQUAA4GNADCBiQKBgQCutr3grp8cmfQWvE7fX8T77nsVYJMFePqUkelg 
    trJzy/3Obahhv0KdWbWvpXV0gUE3pNujeywn9VKpqG7Y1III+VWo1fqIT86oC7W5 
    qqWzECD3qYCbMOjKqcXZ5m0e3Wbamr1Nvn08BiVdDLkmZ64SzDpMTpONiznl0B2F 
    Ryp7CQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAJdrAqE+l380fBJy5bEU6ApLc 
    RVdGVr1C34yWUIYg86ilW3bATebJCHwGpaKHztpHFikaRxJsZno06qOa8iujM6pn 
    IESkSSTnow2xyNaVbAiTZwaND7+D4Ofk/OQA1bE0BFVyMD6KJ0IIQM/5Wv+wNlef 
    FVOv2Cv7yxryu71pmI0= 
    -----END CERTIFICATE REQUEST----- 
    
    CSS11506(config)# 
  5. Upload the certificate to the CSS. Save the the certificate that you  receive from your CA as an ASCI file, and upload it to a FTP or SFTP  server.

    -----BEGIN CERTIFICATE----- 
    MIIDQjCCAuygAwIBAgIQRCMFqA3CWhhqcam90mFtejANBgkqhkiG9w0BAQUFADCB 
    qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu 
    LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU 
    RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s 
    eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTA2MDAwMDAwWhcNMDMw 
    MTIwMjM1OTU5WjCBgTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0 
    dHMxEzARBgNVBAcUCkJveGJvcm91Z2gxFDASBgNVBAoUC1Rlc3RpbmcgU1NMMRIw 
    EAYDVQQLFAlTU0wgQWRtaW4xGzAZBgNVBAMUEnd3dy50ZXN0aW5nc3NsLmNvbTCB 
    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArra94K6fHJn0FrxO31/E++57FWCT 
    BXj6lJHpYLayc8v9zm2oYb9CnVm1r6V1dIFBN6Tbo3ssJ/VSqahu2NSCCPlVqNX6 
    iE/OqAu1uaqlsxAg96mAmzDoyqnF2eZtHt1m2pq9Tb59PAYlXQy5JmeuEsw6TE6T 
    jYs55dAdhUcqewkCAwEAAaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBC 
    BgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVT 
    ZXJ2ZXJUZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYG 
    CCsGAQUFBwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rl 
    c3RDUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEB 
    BQUAA0EAsWuz2lWAKRbRqODlnp3TKhsg79F3x6azUE6VaMGDKpNrFCB2AgbcU25D 
    VAysN/47vavtlFGonK2M/hC78pS9kw== 
    -----END CERTIFICATE----- 

    Copy the certificate to the CSS. SFTP is recommend, however, you can also use FTP.

    CSS11506# copy ssl ftp ftpserver import sslcert.pem PEM "system"  
    
    
    !--- sslcert.pem is the certificate file, and system is the password 
    !--- used when the key pair was created. 
    
      
    CSS11506# show ssl files 
     File Name                       File Type File Size 
     ----------------                --------- ------------ 
     rsa1024.pem                     PEM        887 
     sslcert.pem                     PEM        1210 ****new cert**** 
    
    
  6. Associate the certificate.

     CSS11506(config)# ssl associate cert test-ssl sslcert.pem 
    
    
    
     !--- Verify the association.
    
    
     CSS11506(config)# show ssl associate 
     Certificate Name                File Name                       Used by List 
     ----------------                ---------                       ------------ 
     test-ssl                       sslcert.pem                           no 
    
     RSA Key Name                    File Name                       Used by List 
     ------------                   ---------                       ------------ 
     test-ssl                        rsa1024.pem                           no 
    
     DH Param Name                   File Name                       Used by List 
     -------------                   ---------                       ------------ 
    
     DSA Key Name                    File Name                       Used by List 
     ------------                    ---------                       ------------ 
    

Please le me know if you have ordered your certificate from 3 rd party vendor say verisign and downloaded it somewhere on your laptop or server then you will need to "copy ssl ftp ..." the new cert file (and key if the  cert signing request was not generated in the CSS) into the CSS, then  "ssl associate ..." the new cert and key files (in config mode), then  update the SSL proxy list config to make use the new ssl files.

For more info kindly refer the following links:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/certkeys.html

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801ffdcb.shtml

http://docwiki.cisco.com/wiki/Cisco_Unified_Presence,_Release_7.x_--_How_to_Configure_the_Load_Balancer_for_Redundancy#How_to_Update_the_CA-Signed_Security_Certificates

HTH

pls rate

Sachin

Thanks a lot Sachinga .. this was so useful .!!

Please do confirm the below syntax,

CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"

What is the " System "  keyword used in the above syntax ?  is it the password ?

Also do we need to delete the old ssl cert files ?

Pls revert .

thanks

Mangesh,

You are right.

"system" in double quotes is password.

To display a list of existing certificate files, use the  show  crypto   files  command in Exec mode.

For example, to display the list of certificate and key pair files, enter:

Deleting Certificate and Key Pair Files

You can delete certificate and key pair files that are no longer valid by using the crypto delete command in Exec command mode. Because the ACE module does not overwrite  existing certificate or key pair files, deleting the file allows you to  import an updated file.

The syntax of this command is as follows:

crypto delete {filename | all}

The keywords and arguments are as follows:

filename—Name  of a specific certificate or key pair file to delete. Enter an unquoted  alphanumeric string with a maximum of 40 characters.

all—Deletes all of the certificate and key pair files from the context.

To display a list of available certificate and key pair files loaded on the ACE, use the show crypto files command.


Note The crypto delete command deletes the specified context crypto files from flash memory;  however, existing SSL services are not interrupted. If you do not  replace the deleted SSL files, the SSL services are disabled the next  time that you enter the vip inservice command or when a device reload occurs.


For example, to delete the key pair file MYRSAKEY.PEM, enter:

host1/Admin# crypto delete MYRASKEY.PEM

HTH

Sachin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: