I have a problem to make the SSL-Proxy service running (on a Catalyst 6509 with IOS and the service modules SSL and CSM). I need it for a webservice and I would like to put the certificates on the module - I'm not using a pki or anything. Has anybody an idea how to make my HTTPS service running:
Thanks Michael
----------------- ssl-proxy02#sh ssl-proxy service
Proxy Service Name Admin Operation status status HTTPS up down (No cert)
-------------------- #sh run .... ssl-proxy service HTTPS virtual ipaddr 10.201.1.102 protocol tcp port 443 server ipaddr 10.201.1.123 protocol tcp port 81 certificate rsa general-purpose olaf trusted-ca olaf inservice ssl-proxy vlan 43 ipaddr 10.201.1.2 255.255.255.0 gateway 10.201.1.1 ! crypto ca trustpoint olaf enrollment terminal crl optional ....
The SSLM needs to have a working RSA key pair with an enrolled certificate for every proxy service and the complete CA chain for that certificate.
There are at least 3 ways to "get" certificates in the SSLM:
- Selfsigned by the SSLM
If you're only interested in evaluating the SSLM you can have self-signed certificates for your trustpoints generated by the SSLM itself. Be careful, they do not survive a reload of the module. Because of this, they're only useful for testing:
- Import existing key pair/certificates
If you already have the RSA key pair, the trustpoint certificate and the certificates of the CA chain, import all of them through PKCS#12 file import:
- Manual enrollment with 3rd party CA
If you do not have a PKI you can generate RSA key pairs and a certificate request on the SSLM and forward this request to a 3rd party CA. Then import the CAs certificate and the issued certificate back to the SSLM. Importing selfsigned certificates from a third party will not work.
Manual Enrollment, Example 2: Configuring Certificate Enrollment Using Cut-and-Paste
Current configuration : 4886 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ssl-proxy02 ! enable secret 5. !
spd headroom 512 ip subnet-zero ip domain olaf! ! ! ssl-proxy service olaf virtual ipaddr 10.201.1.102 protocol tcp port 443 server ipaddr 10.201.1.123 protocol tcp port 81 certificate rsa general-purpose trustpoint foto inservice ssl-proxy vlan 43 ipaddr 10.201.1.2 255.255.255.0 ! crypto ca trustpoint thawte.com enrollment terminal pem crl optional ! crypto ca trustpoint foto enrollment terminal pem crl optional rsakeypair olaf ! crypto ca certificate chain thawte.com .... crypto ca certificate chain foto ...... ip classless ip route 0.0.0.0 0.0.0.0 10.201.1.1 no ip http server no ip http secure-server ! ! no cdp run ! line con 0 line 1 3 no exec transport input all flowcontrol software line vty 0 4 password login ! end
---------------------------------------------------------- ssl-proxy02#sh crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: General Purpose Issuer: EA = snipped-for-privacy@thawte.com CN = Thawte Premium Server CA OU = Certification Services Division O = Thawte Consulting cc L = Cape Town ST = Western Cape C = ZA Subject: EA = snipped-for-privacy@thawte.com CN = Thawte Premium Server CA OU = Certification Services Division O = Thawte Consulting cc L = Cape Town ST = Western Cape C = ZA Validity Date: start date: 00:00:00 UTC Aug 1 1996 end date: 23:59:59 UTC Dec 31 2020 Associated Trustpoints: foto thawte.com
------------------------------------------------------- ssl-proxy02#sh ssl-proxy service olaf Service id: 1, bound_service_id: 257 Virtual IP: 10.201.1.102, port: 443 Server IP: 10.201.1.123, port: 81 rsa-general-purpose certificate trustpoint: foto No certificate yet Admin Status: up Operation Status: down Proxy status: No certificate
Regards Michael
"Christian Zeng" schrieb im Newsbeitrag news: snipped-for-privacy@hobel.zengl.net...
How many certificates are listed below the chain - especially for foto? There *must* be at least 2 entries starting with "certificate ca" under the 'foto' statement, one for the SSLM certificate, one for the CA certificate.
What about the certificate for 'foto' itself?
You need to have the CA certificate and the certificate for the SSLM service itself + the correspondig RSA private key. sh cry ca cert must list both of them. Thats the reason why
shows
Import the "server"-certificate - the certificate the SSLM should present to the clients. Make sure that you have the RSA keypair available at the SSLM.
When you created the certificate request on the module, the keys should be there ('olaf', sh cry key mypubkey rsa).
If you created the certificate request somewhere else, the keypair is not at the SSLM available and you have to import it too. Normally this is done in one step by having a file containing the certificates and the public and private key (PKCS#12).
In a previous post you mentioned 'pem' import. What components are inside your pem file? Maybe the private key is not included in your imported file.
A configuration example:
ssl-proxy service virtual ipaddr protocol tcp port 443 server ipaddr protocol tcp port 81 certificate rsa general-purpose trustpoint inservice
crypto ca trustpoint enrollment terminal crl optional rsakeypair
crypto ca certificate chain certificate [content] certificate ca [content]
If you only have one proxy service and your certificate is not issued by a subordinate CA, additional trustpoints are not needed.
thanks for your help! My problem was that I had the wrong certificate for my ca. :-((( The problem is that the modul doesn't tell you that the certificate is wrong.
Thanks for your help! Michael
"Christian Zeng" schrieb im Newsbeitrag news: snipped-for-privacy@hobel.zengl.net...
show crypto ca should tell you something about the "Availability" status of each certificate. If there are unresolved dependencies due to missing parts in a certificate chain, this is the only point where you can see that something is wrong/missing.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.