05-18-2012 04:48 PM
Hi,
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
but still the new certificate is not used even after a reboot,
Attaching screenshots and running config. Any help will be appreciated.
BR//Rajiv
Solved! Go to Solution.
05-19-2012 12:04 PM
Hello,
What error are you getting?
Did you try ro verify them like this?
ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem. ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem.
Can you do #show crypto files?
Did you update the chaingroup as well?
Jorge
05-22-2012 04:36 AM
Ravi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates).
05-19-2012 12:04 PM
Hello,
What error are you getting?
Did you try ro verify them like this?
ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem. ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem.
Can you do #show crypto files?
Did you update the chaingroup as well?
Jorge
05-22-2012 04:36 AM
Ravi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide