03-04-2011 12:59 PM
Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.
Solved! Go to Solution.
03-08-2011 08:30 AM
Hi again Alex!
So by default ACE will only check whether the server certificate has not yet experied. It won't be looking at the issuer.
If you want ACE to check whether server certificate was signed by a trusted CA, you need to configured an authentication group. Issuers part of that authentication group will be considered as trusted.
So you should first import, your CA certificate (see "crypto import" command for that purpose), add it to the authgroup and apply the ssl-proxy service.
I hope it helps,
Olivier
03-08-2011 06:25 AM
Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
Thanks,
Olivier
03-08-2011 07:23 AM
Hi Olivier and thanks for the answer,
When the ACE initiates an SSL connection to a server that gives a cert for which the ACE doesn't know the root CA, doesn't that generate errors ?
So besides ignoring those errors, there must be a way for the ACE to import the root CA certificate, enabling the ACE to verify the validity of the server's cert ?
Thanks,
Alex.
03-08-2011 08:30 AM
Hi again Alex!
So by default ACE will only check whether the server certificate has not yet experied. It won't be looking at the issuer.
If you want ACE to check whether server certificate was signed by a trusted CA, you need to configured an authentication group. Issuers part of that authentication group will be considered as trusted.
So you should first import, your CA certificate (see "crypto import" command for that purpose), add it to the authgroup and apply the ssl-proxy service.
I hope it helps,
Olivier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide