Introduction
Cisco Wide Area Application Services (WAAS) is a comprehensive WAN optimization and application acceleration solution. Cisco WAAS SSL acceleration is supported on all Cisco Wide Area Application Engine (WAE) and Wide Area Virtualization Engine (WAVE) platforms running Cisco WAAS Software Version 4.1.3 or later. An Enterprise license is also required to enable the Cisco WAAS SSL Application Optimizer services.
WAAS Certificates
To generate a self-signed certificate and private key, follow these steps:
1) Check the Mark private key as exportable check box to export this certificate/key in the WAAS Central Manager and device CLI later.
2) Fill in the certificate and private key fields.
To import an existing certificate or certificate chain and, optionally private key, follow these steps:
1) Check the Mark private key as exportable check box to export this certificate/key in the WAAS Central Manager and device CLI later.
2) To import existing certificate or certificate chain and private key, perform one of the following:
•Upload certificate and key in PKCS#12 format (also as Microsoft PFX format)
•Upload certificate and private key in PEM format.
•Paste certificate and private key PEM content.
To export a configured certificate and private key, follow these steps:
1) Enter the encryption pass-phrase.
2) Export current certificate and private key in either PKCS#12 or PEM formats. In case of PEM format both certificate and private key are included in single PEM file.
Problem
User is getting error machine cert in the file __waas-self__.p12 is near expiration / is expired.
WAE01#show alarms
Critical Alarms:
----------------
None
Major Alarms:
-------------
Alarm ID Module/Submodule Instance
-------------------- -------------------- --------------------
1 cert_expired sslao/SGS/gsetting cert_expired
Minor Alarms:
-------------
None
Description
Enter the following command to see more details
WAE01#show alarms detail
Critical Alarms:
----------------
None
Major Alarms:
-------------
Alarm ID Module/Submodule Instance
-------------------- -------------------- --------------------
1 cert_expired sslao/SGS/gsetting cert_expired
July 25 11:31:55.304 PDT, Processing Error Alarm, #000140, 26000:26006
Certificate '__waas-self__.p12' is expired. It is configured as machine cert in global settings
Minor Alarms:
-------------
None
Check the certificates on waas device
WAE01#show crypto certificates
Certificate Only Store:
-----------------------
<EMPTY>
Managed Store:
--------------
<EMPTY>
Local Store:
------------
Machine Self signed Certificate
-------------------------------
Format: PKCS12
Subject: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UKM-
WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:WAE-****.**.****.****
/emailAddress=tac@cisco.com >
Issuer: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UKM-W
AE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:AE-0G01.**.*****.****.***
/emailAddress=tac@cisco.com >
Management Service Certificate
------------------------------
Format: PKCS12
EEC:Subject: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UK
M-WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:CAM-WAE-***.**.***
.****/emailAddress=tac@cisco.com >
Issuer: C=US/ST=California/L=San Jose/OU=CNBU/O=Cisco Systems, Inc/CN=KM-UK
M-WAE-01.**.*****.****.***/emailAddress=tac@cisco.com<mailto:AM-WAE-****.**.
****/emailAddress=tac@cisco.com >
Resolution
a) To recreate the certificate and associate it to the WAAS device enter following commands:
WAE01(config)#crypto generate self-signed-cert waas-self.p12 rsa modulus 1024
WAE01(config)#crypto ssl services global-settings machine-cert-key waas-self.p12
b) On older software version you may be hitting bug CSCte05426.
c) If the certificates are no longer in use then delete the certificates.
d) Ocassionally you may get a third party vendor (e.g Verisign)certificate expiry notifications. To remedy this contact the vendor for the valid version. Meaning that, Cisco cannot provide with the fresh certificate as it does not belong to Cisco.
References
Cisco Wide Area Application Services SSL Application Optimizer Deployment Guide
Cisco WAAS Troubleshooting Guide for Release 4.1.3 and Later -- Troubleshooting the SSL AO