cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
6
Replies

SSL Module Certificate Installation

carlsond
Level 1
Level 1

First time SSL newbie question.

I am trying to get a certificate installed on an SSL Mod. using the cut and paste method. I generated a key pair, configured the trustpoint, generated a certificate request and pasted it into verisigns site. The reply I received, I'm assuming is the certificate authority certificate and I imported it. Now I'm supposed to import a server certificate?? How do I get this?? Did I do something wrong??

Thank you..

6 Replies 6

sradley
Level 1
Level 1

You need to paste the response from Verisign together with their intermediate certificate into a file and then import that file onto the css. Then associate the file so the css knows it's a cert. If the css doesn't like the file, try the paste/import again. The load it with the key file into the ssl-proxy list.

What I was missing was the Certificate Authority Certificate. I'm assuming this is what you mean by the intermediate cert. Verisign talked me through exporting their cert from Internet exporer. Once this cert is imported via "crypto ca authenticate truspointname" then you can import the server cert via "crypto ca import truspointname certificate".

If verisign had you export a certificate from IE that was most likely their root certificate. From my experience you need a root, intermediate and server certificate for the chain to properly form. Take care

Hi,

I'm struggling through this as well. The process seems straightforward. I follow all the steps, get the combined certificates uploaded (intermediate and server cert), but when I try to activate the ssl-proxy-list I get an error:

"Error in ssl-server 10: RSA Cert/Key Verify %% Certificate and key files do not match."

I get the same type of message if I try to do "ssl verify"

Did you run into this?

If you regenerated the key pair after installing the cert I could see you getting a message like that. You might just try starting from scratch. Revoke your cert and and get a new one created.. I used the process on pages 3-12 and 3-13 of the "Catalyst 6500 Series Switch SSL Services Module Configuration Note rel 2.1". One other thing I learned the hard way is when generating the trustpoint make sure your subject-name CN equals your VIP DNS name exactly otherwise it can cause issues.

Thanks. I found the problem. I called TAC and spoke with Jay Kelly (He rocks, I've worked with hiom before), and he pointed out a glaring discrepency in the documentation for doing this. When combining the intermediate and server certs, the server cert goes first and the intermediate second. The on-line docs say the opposite. Also, The two certs should not be seperated. In other words, paste in the server cert, hit enter after the trailing -----, and then paste in the intermediate cert with no trailing carraige return.

Hope this helps someone else.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: