cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2844
Views
0
Helpful
3
Replies

SSL proxy using p12 certificate file

liangzheng
Level 1
Level 1

Hi,

I am configuring SSL termination for a e-commence site. The only certificate and key file for the site is in .p12 format. I have successfully imported the file in ACE context:

Tor-ACE/StagingFrontEnd-LB# sh crypto files

Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                      5066  PKCS12  No         BOTH

Tor-ACE/StagingFrontEnd-LB# 

However, when I configured this cert and key in SSL proxy service, the SSL proxy server didn't work. When I change the cert and key file to cisco sample file, it was working.

Any help will be appreciated.

James

1 Accepted Solution

Accepted Solutions

Pablo
Cisco Employee
Cisco Employee

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key
secure.seOOOO.ca.p12
  cert
secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



View solution in original post

3 Replies 3

cpomeroy
Level 1
Level 1

James,

    In order for the ACE to terminate SSL, the certs/key need to be in PEM format.  Please see the attached configuration guide for SSL.

Thanks

Chris

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/certkeys.html#wp1052415

Pablo
Cisco Employee
Cisco Employee

James/Chris,

Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.

Sounds like your problem could be either that:

You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:

ssl-proxy service VIP
  key
secure.seOOOO.ca.p12
  cert
secure.seOOOO.ca.p12

Or you didn't specify the cert passphrase when importing the file:


switch/Admin# show crypto file
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12                     5066  PKCS12    No       BOTH

ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10 secure.seOOOO.ca.p12
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.

Hope this helps.

__ __

Pablo



Thanks guys,

I got it work. The ACE does accept p12 certificate and key file. It was some configuration problem on web servers. I also have tried use openssl command to convert p12 to pem format and applied them in to ACE. it works either way.

James

Review Cisco Networking for a $25 gift card