Solved: SSL Certificate expired

johng231 · ‎07-29-2011

Hello

I've updated our internal application SSL certificates on our core WAEs group, for some reason it didn't push the updated ones down to the branch WAEs. The users are getting the expired cert error. The work around for now was to disable the SSL cert. Is there a procedure on how to update the SSL certs on your core WAEs? How can I check the branch WAE where the expired cert if being stored, it's not showing up when you issue a show

crypto certificates. I went and updated the existing ones with the new ones and the date had changed correctly.

WAEs - 4.2.1

CM - 4.4.1

Bhavin Yadav · ‎08-03-2011

Hi John,

I believe Ahmad is talking about this link, here is the corrected one:

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v431/configuration/guide/policy.html#wp1138543

As per the document, the certificates should be propogated to WAE and replace the expired one. Why it did not happen in your case, I believe requires some investigation. It may be that the CM-WAE connectivity is/was broken or may be the WAE is managed by CM but is configured in such a way that CM can not update config on WAE. This could happen if you are using Device Groups and if WAE is not part of that group.

Hope this helps.

Regards.

PS: If this answers your question, please mark this as Answered.

View solution in original post

Ahmad Basel Jaber · ‎07-29-2011

I would recommend you to go through the following document which should help you in troubleshooting the SSL AO:

http://docwiki-dev.cisco.com/wiki/Cisco_WAAS_Troubleshooting_Guide_for_Release_4.1.3_and_Later_--_Troubleshooting_the_SSL_AO

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/waas/v431/configuration/guide/policy.html#wp1096862

Please let me know if you still need any help,

Ahmad

johng231 · ‎07-29-2011

Yes, I had the SSL cert working before, it broke when I went and updated it. Why didn't it push it down to the WAE branches? Why is the branch WAE still storing the old certificate????

The links you posted, I can't open. Please confirm them.

Bhavin Yadav · ‎08-03-2011

Hi John,

I believe Ahmad is talking about this link, here is the corrected one:

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v431/configuration/guide/policy.html#wp1138543

As per the document, the certificates should be propogated to WAE and replace the expired one. Why it did not happen in your case, I believe requires some investigation. It may be that the CM-WAE connectivity is/was broken or may be the WAE is managed by CM but is configured in such a way that CM can not update config on WAE. This could happen if you are using Device Groups and if WAE is not part of that group.

Hope this helps.

Regards.

PS: If this answers your question, please mark this as Answered.

johng231 · ‎08-03-2011

This was from the url you posted above. I was missing this important step!

"If you change the certificate or key for an existing SSL accelerated service, you must uncheck the

In service check box and click Submit to disable the service, then wait 5 minutes and check the

In service check box and click Submit to reenable the service. Alternatively, at the WAE, you can use the

no inservice SSL accelerated service configuration command, wait a few seconds, and then use the

inservice command. If you are changing the certificate or key for multiple SSL accelerated services, you can restart all accelerated services by disabling and then reenabling the SSL accelerator."

Bhavin Yadav · ‎08-03-2011

Thanks for the update, John. Good to know it is working now.

Regards.