10-04-2010 08:39 AM
Hi,
I am configuring SSL termination for a e-commence site. The only certificate and key file for the site is in .p12 format. I have successfully imported the file in ACE context:
Tor-ACE/StagingFrontEnd-LB# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12 5066 PKCS12 No BOTH
Tor-ACE/StagingFrontEnd-LB#
However, when I configured this cert and key in SSL proxy service, the SSL proxy server didn't work. When I change the cert and key file to cisco sample file, it was working.
Any help will be appreciated.
James
Solved! Go to Solution.
10-04-2010 01:33 PM
James/Chris,
Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.
Sounds like your problem could be either that:
You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:
ssl-proxy service VIP
key secure.seOOOO.ca.p12
cert secure.seOOOO.ca.p12
Or you didn't specify the cert passphrase when importing the file:
switch/Admin# show crypto file
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12 5066 PKCS12 No BOTH
ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.
Hope this helps.
__ __
Pablo
10-04-2010 08:44 AM
James,
In order for the ACE to terminate SSL, the certs/key need to be in PEM format. Please see the attached configuration guide for SSL.
Thanks
Chris
10-04-2010 01:33 PM
James/Chris,
Just to clarify the ACE does support PKCS12 from the very beginning either on the APP or MOD.
Sounds like your problem could be either that:
You only associated the file once under the ssl service. The file needs to be associated with the cert and the key using the same name:
ssl-proxy service VIP
key secure.seOOOO.ca.p12
cert secure.seOOOO.ca.p12
Or you didn't specify the cert passphrase when importing the file:
switch/Admin# show crypto file
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
secure.seOOOO.ca.p12 5066 PKCS12 No BOTH
ACE/Cisco# crypto import ftp passphrase password123 10.20.5.10
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
##
Successfully imported file from remote server.
Hope this helps.
__ __
Pablo
10-04-2010 02:01 PM
Thanks guys,
I got it work. The ACE does accept p12 certificate and key file. It was some configuration problem on web servers. I also have tried use openssl command to convert p12 to pem format and applied them in to ACE. it works either way.
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide