Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-07-18 11:43:20.0

SSL/TLS Certificate Installation Guide: Cisco ACE

Article Number: 70751

User-added image
Purpose: SSL/TLS Certificate Installation Guide
For Cisco ACE
User-added image
Skip to Installation


Need help generating a Certificate Signing Request (CSR) with this server? See our article here.

Before you begin...
  • Never share private keys files. 
  • If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
  • It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.
  • Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
  • For more information on SSL/TLS Best Practices, click here.
Installing your Entrust SSL/TLS Certificate on Cisco ACE

When you receive your global site certificate and intermediate CA certificate, you must import them to the desired ACE context by importing the certificate and key pair files (part 1). Then you create a certificate chain group that includes both certificates (part 2). The ACE sends the chain group to the client during the initial SSL handshake.

This process is in two parts:
1) Importing Certificate and Key Pair Files
2) Creating Chain Group

Part 1 of 2: Importing Certificate and Key Pair Files

You can import a certificate or key pair file to the ACE from a remote server by using the crypto import command in Exec mode. Because a network device uses its certificate and corresponding public key together to prove its identity during the SSL handshake, be sure to import both the certificate file and its corresponding key pair file.

The syntax of this command is as follows:

crypto import [non-exportable] {{ftp | sftp} [passphrase passphrase] ip_addr username remote_filename local_filename} | {tftp [passphrase passphrase] ip_addr remote_filename local_filename} | terminal local_filename [passphrase passphrase]

The keywords, arguments, and options are as follows:

non-exportable: (Optional) Marks the imported file as nonexportable, which means that you cannot export the file from the ACE.
ftp: Specifies the File Transfer Protocol file transfer process.
sftp: Specifies the Secure File Transfer Protocol file transfer process. We recommend that you use SFTP because it is more secure than FTP or TFTP.
tftp: Specifies the Trivial File Transfer Protocol file transfer process.
terminal: Allows you to import a file using cut and paste by pasting the certificate and key pair information to the terminal display. You must use the terminal method to display PEM files, which are in ASCII format.
passphrase passphrase: (Optional) Indicates that the file was created with a passphrase, which you must submit with the file transfer request in order to use the file.The passphrase pertains only to encrypted PEM files and PKCS files.
ip_addr: IP address of the remote server. Enter an IP address in dotted-decimal notation (for example, 192.168.12.15).
username: Username required to access the remote server. The ACE prompts you for your password when you execute the command.
remote_filename: Name of the certificate or key pair file that resides on the remote server to import.
local_filename: Name to save the file to when imported to the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.

The ACE supports the importation of PEM-encoded SSL certificates and keys with a maximum line width of 130 characters using the terminal. If an SSL certificate or key is not wrapped or it exceeds 130 characters per line, use a text editor such as the visual (vi) editor or Notepad to manually wrap the certificate or key to less than 130 characters per line. Alternatively, you can import the certificate or key by using SFTP, FTP, or TFTP with no regard to line width. Of these methods, we recommend SFTP becaues it is secure.

For example, to import the RSA key file MYRSAKEY.PEM from an SFTP server, enter:

 host1/Admin# crypto import non-exportable sftp 1.1.1.1 JOESMITH 
/USR/KEYS/MYRSAKEY.PEM MYKEY.PEM
 Password: ********
 Passive mode on.
 Hash mark printing on (1024 bytes/hash mark).
 #
 Successfully imported file from remote server.
 host1/Admin#


The following example shows how to use the terminal keyword to allow pasting of the certificate information to the file MYCERT.PEM:

 host1/Admin# crypto import terminal MYCERT.PEM
 Enter PEM formatted data ending with a blank line or "quit" on a line 
by itself
 --------BEGIN CERTIFICATE-----------------------
 MIIC1DCCAj2gAwIBAgIDCCQAMA0GCSqGSIb3DQEBAgUAMIHEMQswCQYDVQQGEwJa
 QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
 BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
 MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTA3
 -----------END CERTIFICATE------------------------
 quit


Part 2 of 2: Creating a Chain Group

To create a chain group, use the crypto chaingroup command in configuration mode.

The syntax of this command is as follows:

crypto chaingroup group_name

The group_name argument is the name of the chain group. Enter an unquoted alphanumeric string with a maximum of 64 characters.

For example, to create the chain group MYCHAINGROUP, enter:

host1/Admin(config)# crypto chaingroup MYCHAINGROUP

After you create a chain group, the CLI enters chaingroup configuration mode, where you add the required certificate files to the group.

host1/Admin(config-chaingroup)#

To delete an existing chain group, enter:

host1/Admin(config)# no crypto chaingroup MYCHAINGROUP

You can add certificate files to the chain group by using the cert command in chaingroup configuration mode. You can configure a chaingroup with up to nine certificates.

The syntax of this command is as follows:

cert cert_filename

The cert_filename argument is the name of an existing certificate file stored on the ACE. Enter an unquoted alphanumeric string with a maximum of 40 characters.
Note: When you make a change to a chain-group certificate, the change takes effect only after you re-specify the associated chain group in the SSL proxy service using the chaingroup command. See the "Creating and Defining an SSL Proxy Service" section in Chapter 3, Configuring SSL Termination.

Your SSL/TLS certificate should be installed.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
0800-4413101
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088