Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3194
Views
0
Helpful
3
Replies

How to install a root certificate of private CA for SSL initiation in ACE 4710 ?

Go to solution
adery6300
Level 1
Level 1

‎03-04-2011 12:59 PM

Hello ACE Gurus,

We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server :  we want to use self-issued certs signed by our private CA.The topology looks like this :

Internet Client   ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers

Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.

The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :

host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore

Thanks for the help!

Alex.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ohynderi
Level 1
Level 1
In response to adery6300

‎03-08-2011 08:30 AM

Hi again Alex!

So by default ACE will only check whether the server certificate has not yet experied. It won't be looking at the issuer.

If you want ACE to check whether server certificate was signed by a trusted CA, you need to configured an authentication group. Issuers part of that authentication group will be considered as trusted.

So you should first import, your CA certificate (see "crypto import" command for that purpose), add it to the authgroup and apply the ssl-proxy service.

I hope it helps,

Olivier

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ohynderi
Level 1
Level 1

‎03-08-2011 06:25 AM

Hi Alex,

From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643

Thanks,

Olivier

0 Helpful

Go to solution
adery6300
Level 1
Level 1
In response to ohynderi

‎03-08-2011 07:23 AM

Hi Olivier and thanks for the answer,

When the ACE initiates an SSL connection to a server that gives a cert for which the ACE doesn't know the root CA, doesn't that generate errors ?

So besides ignoring those errors, there must be a way for the ACE to import the root CA certificate, enabling the ACE to verify the validity of the server's cert ?

Thanks,

Alex.

0 Helpful

Go to solution
ohynderi
Level 1
Level 1
In response to adery6300

‎03-08-2011 08:30 AM

Hi again Alex!

So by default ACE will only check whether the server certificate has not yet experied. It won't be looking at the issuer.

If you want ACE to check whether server certificate was signed by a trusted CA, you need to configured an authentication group. Issuers part of that authentication group will be considered as trusted.

So you should first import, your CA certificate (see "crypto import" command for that purpose), add it to the authgroup and apply the ssl-proxy service.

I hope it helps,

Olivier

0 Helpful
Customers Also Viewed These Support Documents