Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2615
Views
0
Helpful
2
Replies

SSL Certificates Update Error in ACE 4710

Go to solution
Rajiv Dasmohapatra
Level 2
Level 2

‎05-18-2012 04:48 PM

Hi,

I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.

I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.

but still the new certificate is not used even after a reboot,

Attaching screenshots and running config. Any help will be appreciated.

BR//Rajiv

Labels:
128318-ACE Configuration.txt.zip
3001 KB
3001 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jorge Bejarano
Level 4
Level 4

‎05-19-2012 12:04 PM

Hello,

What error are you getting?

Did you try ro verify them like this?

ACE-1/routed# crypto verify key.pem cert.pem

Keypair in key.pem matches certificate in cert.pem. ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem.

Can you do #show crypto files?

Did you update the chaingroup as well?

Jorge

View solution in original post

0 Helpful

Go to solution
cpomeroy
Level 1
Level 1

‎05-22-2012 04:36 AM

Ravi,

      Here are the procedures for updating your certificate on the ACE. 

1) Create New RSA Key

2) Create CSR

3) Send CSR to CA authority for a new certificate

4) Import Certificate into the ACE

5) Change the ssl-proxy to use the new Certificate and Key

6) Remove the SSL-Proxy from the policy map and reapply

Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have

crypto chaingroup iotms-chain-gr-1

  cert inter-root-new

Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 

Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jorge Bejarano
Level 4
Level 4

‎05-19-2012 12:04 PM

Hello,

What error are you getting?

Did you try ro verify them like this?

ACE-1/routed# crypto verify key.pem cert.pem

Keypair in key.pem matches certificate in cert.pem. ACE-1/routed# crypto verify key.pem cert.pem
Keypair in key.pem matches certificate in cert.pem.

Can you do #show crypto files?

Did you update the chaingroup as well?

Jorge

0 Helpful

Go to solution
cpomeroy
Level 1
Level 1

‎05-22-2012 04:36 AM

Ravi,

      Here are the procedures for updating your certificate on the ACE. 

1) Create New RSA Key

2) Create CSR

3) Send CSR to CA authority for a new certificate

4) Import Certificate into the ACE

5) Change the ssl-proxy to use the new Certificate and Key

6) Remove the SSL-Proxy from the policy map and reapply

Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have

crypto chaingroup iotms-chain-gr-1

  cert inter-root-new

Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 

Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents