cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live- Tenant Routed Multicast in VXLAN EVPN Fabric
345
Views
5
Helpful
4
Replies
Highlighted
Rising star

SSL chaingroup

Hi,

looking for explanation what is chaingroup and used for what .is this something related to wildcard  ?

Thanks

Ajay               

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: SSL chaingroup

Just to chime on on this.   A certifcate chain normally would look like this.

Root CA  ---> Intermediate CA --->  Server Certificate

The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.

Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate.  If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated.  So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it.  This will allow the ACE to pass the full certifcate chain to the client.  Thus allowing the client to fully authenticate the server certificate.

Chris

View solution in original post

4 REPLIES 4
Highlighted
Enthusiast

Re: SSL chaingroup

Hello Ajay,

"The chaingroup feature under the ssl-proxy service is designed to give the additional

certificates beyond the server certificate.

For SSL termination, you need to have a minimum of a key and server cert defined/established in the

ssl-proxy service, then (optional) you can define a chaingroup.

The chaingroup would contain the certificate that signed the server cert and (optionally)

any additional certificates in the chain, up to the root."

Sometimes, some browsers require to have not only the key and server cert but also the rest of certificates of the chain

Please mark if it is useful

Hope, this helps.

Jorge

Highlighted
Rising star

Re: SSL chaingroup

Hi Jorge,

I agree with your statement-

For SSL termination, you need to have a minimum of a key and server cert defined/established in the

ssl-proxy service.

However still not clear on chaingroup. what comes as a requirment to using chaingroup ? is it something multiple certs for same VIP or something else .

Thanks

Ajay

Highlighted
Enthusiast

Re: SSL chaingroup

Hello Ajay,

It is something optional. Sometimes some browsers require to have the intermediate certificates besides the key and server cert, then that's where you configure the chaingroup to provide them to it.

Jorge

Highlighted
Beginner

Re: SSL chaingroup

Just to chime on on this.   A certifcate chain normally would look like this.

Root CA  ---> Intermediate CA --->  Server Certificate

The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.

Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate.  If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated.  So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it.  This will allow the ACE to pass the full certifcate chain to the client.  Thus allowing the client to fully authenticate the server certificate.

Chris

View solution in original post

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey

This widget could not be displayed.