Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2011-08-15 10:27:12.0

TN 8417 - How do I install the Server Certificate on a Cisco ACE appliance?

Question:

How do I install the Server Certificate on a Cisco ACE appliance?

Answer:

To install the Server Certificate, complete the following steps:

Part 1 – Importing the Server Certificate

   1.    Copy the Server Certificate (including the BEGIN and END tags).

 

   2.    Import the Server Certificate onto the ACE using the crypto import command in Exec mode. The following example shows how to use the terminal keyword to allow pasting of the certificate information to the file entrustcert.pem.

 

ACE-1/Admin# crypto import terminal entrustcert.pem

Enter PEM formatted data ending with a blank line or "quit" on a line

by itself

--------BEGIN CERTIFICATE-----------------------

MIIC1DCCAj2gAwIBAgIDCCQAMA0GCSqGSIb3DQEBAgUAMIHEMQswCQYDVQQGEwJa

QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb

BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0

aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB

MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTA3

QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb

BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0

aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB

MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTA3

-----------END CERTIFICATE------------------------

quit

 

3.    Use the show crypto certificate command to display the certificate information. For example:

 

ACE-1/Admin# show crypto certificate all

 

All Certificate Files Loaded:

entrustcert.pem:

Subject: /C=US/ST=TX/L=Dallas/O=Entrust,Inc./OU=Entrust Certificate Services/CN=ace.entrust.net

Issuer: /C=US/O=Entrust.net/OU=(c) 2009 Entrust, Inc. /OU=www.entrust.net/rpa is incorporated by reference/CN=Entrust Certification Authority – L1C

Not Before: Feb 10 16:43:54 2010 GMT

Not After: Feb 10 17:13:54 2012 GMT

CA Cert: FALSE

Part 2 – Verify the Certificate against a Key Pair

A digital certificate is built around the public key of a key pair and can only be used with one key pair. Compare the public key in the Server Certificate file with the public key in a key pair file and verify that they are identical by using the crypto verify command in Exec command mode.

1.    Display a list of available certificate and key pair files loaded on the ACE. For example:

 

ACE-1/Admin# show crypto files

Filename                                 File  File    Expor      Key/

                                         Size  Type    table      Cert

-----------------------------------------------------------------------

entrustcert.pem                          1354  PEM     Yes        CERT

EntrustL1C.pem                           1804  PEM     Yes        CERT

key.pem                                  887   PEM     Yes         KEY

 

 

2.    Verify the public keys in the key file and Server Certificate file match. For example:

 

ACE-1/Admin# crypto verify key.pem entrustcert.pem

Keypair in key.pem matches certificate in entrustcert.pem

 

The following example shows what the ACE displays when the public keys do not match:

 

ACE-1/Admin# crypto verify key.pem entrustcert.pem

Keypair in key.pem does not match certificate in entrustcert.pem 


Part 3 – Configuring the SSL Proxy Service

After the SSL files have been verified, the Cisco ACE can be configured with an SSL proxy service, which is a logical grouping of the certificates, key, and SSL parameters used to define the characteristics of SSL termination on the ACE.

1.    Apply the Server Certificate and key to the proxy service. For example:

 

ACE-1/routed(config)# ssl-proxy service proxy-1

ACE-1/routed(config-ssl-proxy)# cert entrustcert.pem

ACE-1/routed(config-ssl-proxy)# key key.pem

 

2.    Use the show crypto chaingroup command to display the chain group file summary. For example:

 

ACE-1/Admin# show crypto chaingroup all

chaingroup EntrustChaingroup contains:

EntrustL1C.pem:

 

  Subject:

/C=US/O=Entrust.net/OU=(c) 2009 Entrust, Inc. /OU=www.entrust.net/rpa is incorporated by reference/CN=Entrust Certification Authority – L1C

  Issuer:

/O=Entrust.net/OU=(c) 1999 Entrust.net Limited/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/CN=Entrust.net Certification Authority (2048)

 

If no chain group has been configured containing the Entrust intermediate certificate, see Part 2 of the instructions for installing the L1C Chain Certificate on the Cisco ACE.

 

3.    In addition to applying a certificate and key to the proxy service, configure the chain group to supply the intermediate certificate to the client’s browser. For example:

ACE-1/routed(config)# ssl-proxy service proxy-1 
ACE-1/routed(config-ssl-proxy)# chaingroup EntrustChaingroup

 

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable