Guest

Cisco CSS 11500 Series Content Services Switches

Requesting and Installing a Global Certificate on the CSS11500

Document ID: 47782

Updated: Dec 21, 2005

   Print

Introduction

If you do not have pre-existing keys and certificates for the Content Services Switch (CSS), you can generate them on the CSS. The CSS includes a series of certificate and private key management utilities to simplify the process of generating private keys, Certificate Signing Requests (CSR), and self-signed temporary certificates. This document describes the process for obtaining a new certificate from a certificate authority (CA) and installing it to the CSS.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: In order to find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Configurations

This document uses these configurations:

  • Generate Rivest, Shamir, and Adelman (RSA) Key Pair

  • Associate the RSA Key Pair File

  • Generate CSR

  • Obtain the Verisign Intermediate Certificate

  • Import Chained Certificate File

  • Associate the Certificate File

  • Configure the SSL Proxy List

  • Configure Secure Socket Layer (SSL) Service and Content Rules

Generate Rivest, Shamir, and Adelman (RSA) Key Pair

Issue the ssl genrsa command to generate an RSA private/public key pair for asymmetric encryption. The CSS stores the generated RSA key pair as a file on the CSS. For example, to generate the RSA key pair myrsakey.pem, type the following:

CSS11500(config) # ssl genrsa myrsakey.pem 1024 “passwd123”

Please be patient this could take a few minutes

Associating the RSA Key Pair File

Issue the ssl associate rsakey command to associate the RSA key pair name to the generated RSA key pair. For example, to associate the RSA key name myrsakey1 to the generated RSA key pair file myrsakey.pem, type the following:

CSS11500(config) # ssl associate rsakey myrsakey1 myrsakey.pem

Generate CSR

Issue the ssl gencsr rsakey command to generate a CSR file for an associated RSA key pair file. This CSR will be sent to the CA for signing. For example, to generate a CSR based on the RSA key pair myrsakey1, type the following:

CSS11503(config)# ssl gencsr myrsakey1

You are about to be asked to enter information
that will be incorporated into your certificate
request. What you are about to enter is what is
called a Distinguished Name or a DN.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US] US
State or Province (full name) [SomeState] CA
Locality Name (city) [SomeCity] San Jose
Organization Name (company name) [Acme Inc]Cisco Systems, Inc.
Organizational Unit Name (section) [Web Administration] Web Admin
Common Name (your domain name) [www.acme.com] www.cisco.com
Email address [webadmin@acme.com] webadmin@cisco.com

The ssl gencsr command generates the CSR and outputs it to the screen. Most major CAs have Web-based applications that require you to cut and paste the certificate request to the screen.

-----BEGIN CERTIFICATE REQUEST-----
MIIBWDCCAQICAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTETMBEGA1UE
BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
A1UECxMJV2ViIEFkbWluMRYwFAYDVQQDEw13d3cuY2lzY28uY29tMSEwHwYJKoZI
hvcNAQkBFhJra3JvZWJlckBjaXNjby5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
AkEAqHXjtQUVXvmo6tAWPiMpe6oYhZbJUDgTxbW4VMCygzGZn2wUJTgLrifDB6N3
v+1tKFndE686BhKqfyOidml3wQIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQA94yC3
4SUJJ4UQEnO2OqRGLOZpAElc4+IV9aTWK6NmiZsM9Gt0vPhIkLx5jjhVRLlb27Ak
H6D5omXa0SPJan5x
-----END CERTIFICATE REQUEST-----

The CA signs the CSR and returns it to you, typically using the email address provided within the CSR.

Obtain the Verisign Intermediate Certificate

Obtain Certificate from a CA

After submitting your CSR to a CA, it takes between one and seven business days to receive a signed certificate; times vary due to the CA. Once the CA has signed and delivered the certificate, it can be added to the CSS.

If you are applying for a StepUp/SGC or chained certificate, you need to obtain the intermediate certificate used to sign your certificate. You can obtain VeriSign's Intermediate Certificate from the following link:

Save the intermediate certificate to a file. For example, intermediate.pem.

Concatenate Server and Intermediate Certificates

In order to use chained certificates on the CSS, the server certificate and intermediate must be concatenated together. This allows the CSS to return the entire certificate chain to the client upon the initial SSL handshake. When creating the chained certificate file for the CSS, be sure the certificates are in the proper order. The server certificate must be first, then the intermediate certificate used to sign the server certificate must be next. There must be a single newline between the server and intermediate certificates. For example, concatenate the server certificate servercert.pem and the intermediate.pem into a chained certificate called mychainedrsacert.pem. The following displays the entire contents of the mychainedrsacert.pem file.

-----BEGIN CERTIFICATE-----
MIICwTCCAioCAQUwDQYJKoZIhvcNAQEEBQAwgagxCzAJBgNVBAYTAlVTMRMwEQYD
 VQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEeMBwGA1UEChMVRXhh
 bXBsZSBTeXN0ZW1zLCBJbmMuMRIwEAYDVQQLEwlXZWIgQWRtaW4xGDAWBgNVBAMT
 D3d3dy5leGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUd2ViYWRtaW5AZXhhbXBs
 ZS5jb20wHhcNMDQwMTA5MDgzMjI3WhcNMDQwMjA4MDgzMjI3WjCBqDELMAkGA1UE
 BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMR4w
 HAYDVQQKExVFeGFtcGxlIFN5c3RlbXMsIEluYy4xEjAQBgNVBAsTCVdlYiBBZG1p
 bjEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMSMwIQYJKoZIhvcNAQkBFhR3ZWJh
 ZG1pbkBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2huF
 xhVeODHmoXJ4HulDqVQtCvX7eERyRarNI71p0ZV+q+qGYRtJdrlzUav/TbRn5dc0
 8IXjqrASAtTo2S4eWlTOJUnR2g0LH/lcPUaF8f+m+eODWoT8dCtNA5sgEnINAR2y
 HlS5j6dZNcyMY0nFOh68oRsZJJ58u0ZPJjl6eAsCAwEAATANBgkqhkiG9w0BAQQF
 AAOBgQADO/UTIIHnIq2Q0ICiqAQju9nz1vTiIYHBpBnUd8NkPhIHIOqNn9iZ5Q+a
 2zFjh+N2uEt5NxNOEZRbrTZH+HmZMsqJJfvfd62iq+636aPIcoo7X541DYotM05C
 OQjnehsjgwziKlp6UJtuiAwwaxtMIbP7lQXHGO6E9RnzQSvQGQ==
 -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
 MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
 LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
 HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
 aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
 BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
 MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
 TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
 veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
 OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
 4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
 KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
 HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
 ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
 oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
 BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
 1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
 E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
 -----END CERTIFICATE-----

Import Chained Certificate File

Once the CSR has been signed by a CA, it is now called a Certificate. The Certificate file must be imported to the CSS. Issue the copy ssl command to facilitate the import or export of certificates and private keys from or to the CSS. The CSS stores all imported files in a secure location on the CSS. This command is available only in SuperUser mode. For example, to import the mychainedrsacert.pem certificate from a remote server to the CSS, type the following:

CSS11500# copy ssl sftp ssl_record import mychainedrsacert.pem PEM “passwd123”

Connecting 
Completed successfully 

Associate the Certificate File

Issue the ssl associate cert command to associate a certificate name to the imported certificate. For example, to associate the certificate name mychainedrsacert1 to the imported certificate file mychainedrsacert.pem, type the following:

CSS11500(config)# ssl associate cert mychainedrsacert1 mychainedrsacert.pem 

Configure the SSL Proxy List

Issue the ssl-proxy-list command to create an SSL proxy list. An SSL proxy list is a group of related virtual or backend SSL servers that are associated with an SSL service. The SSL proxy list contains all the configuration information for each virtual SSL Server. This includes the SSL Server creation, certificates and corresponding SSL key pair, Virtual IP (VIP) address and port, SSL ciphers supported, and other SSL options. For example, to create the ssl-proxy-list ssl_list1, type the following:

CSS11500(config)# ssl-proxy-list ssl_list1
Create ssl-list <ssl_list1>, [y/n]: y 

Once you create an SSL proxy list, the CLI enters you into the ssl-proxy-list configuration mode. Configure your SSL server as shown below.

CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 vip address 192.168.3.6
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert mychainedrsacert1
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey myrsakey1
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.11.2 80 5
CSS11500(ssl-proxy-list[ssl_list1])# active 

Configure Secure Socket Layer (SSL) Service and Content Rules

Once the SSL proxy list is activated, a service and content rule need to be configured to allow the CSS to send SSL traffic to the SSL module. This table provides an overview of the steps required to create an SSL service for a virtual SSL server, including adding the SSL proxy list to the service and creating an SSL content rule.

Create an SSL service

CSS11500(config)# service ssl_serv1Create service <ssl_serv1>, 
   [y/n]: y
CSS11500(config-service[ssl_serv1])# type ssl-accel
CSS11500(config-service[ssl_serv1])# slot 2
CSS11500(config-service[ssl_serv1])# keepalive type none
CSS11500(config-service[ssl_serv1])# add ssl-proxy-list ssl_list1
CSS11500(config-service[ssl_serv1])# active 

Create an SSL content rule

CSS11500(config)# owner ssl_owner
Create owner <ssl_owner>, [y/n]: y
CSS11500(config-owner[ssl_owner])# content ssl_rule1
Create content <ssl_rule1>, [y/n]: y
CSS11500(config-owner-content[ssl-rule1]# vip address 192.168.3.6
CSS11500(config-owner-content[ssl-rule1]# port 443 
CSS11500(config-owner-content[ssl_rule1])# add service ssl_serv1 
CSS11500(config-owner-content[ssl_rule1])# active 

Create a clear text content rule

CSS11500(config-owner[ssl_owner])# content decrypted_www 
Create content <decrypted_www>, [y/n]: y
CSS11500(config-owner-content[decrypted_www]# vip address 192.168.11.2
CSS11500(config-owner-content[decrypted_www]# port 80
CSS11500(config-owner-content[decrypted_www])# add service linux_http
CSS11500(config-owner-content[decrypted_www])# add service win2k_http
CSS11500(config-owner-content[decrypted_www])# active 

At this point, client HTTPS traffic can be sent to the CSS at 192.168.3.6:443. The CSS decrypts the HTTPS traffic, converting it to HTTP. The CSS then chooses a service and sends the HTTP traffic to a HTTP Web server. The following is a working CSS configuration using the examples above:

CSS11501# show run
configure

!*************************** GLOBAL ***************************
ssl associate rsakey myrsakey1 myrsakey.pem
ssl associate cert mychainedrsacert1 mychainedrsacert.pem

ip route 0.0.0.0 0.0.0.0 192.168.3.1 1

ftp-record conf 192.168.11.101 admin des-password 4f2bxansrcehjgka /tftpboot

!************************* INTERFACE *************************
interface 1/1
bridge vlan 10
description "Client Side"

interface 1/2
bridge vlan 20
description "Server Side"

!************************** CIRCUIT **************************
circuit VLAN10
description "Client Segment"

ip address 192.168.3.254 255.255.255.0

circuit VLAN20
description "Server Segment"

ip address 192.168.11.1 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl_list1
ssl-server 20
ssl-server 20 vip address 192.168.3.6
ssl-server 20 rsakey myrsakey1
ssl-server 20 rsacert mycertcert1
ssl-server 20 cipher rsa-with-rc4-128-md5 192.168.11.2 80
active

!************************** SERVICE **************************
service linux-http
ip address 192.168.11.101
port 80
active

service win2k-http
ip address 192.168.11.102
port 80
active

service ssl_serv1
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list ssl_list1
active

!*************************** OWNER ***************************
owner ssl_owner

content ssl_rule1
vip address 192.168.3.6
protocol tcp
port 443
add service ssl_serv1
active

content decrypted_www
vip address 192.168.11.2
add service linux-http
add service win2k-http
protocol tcp
port 80
active

Verify

Use this section to confirm that your configuration works properly.

Use the show ssl file and show ssl associate commands to verify the configuration.

Verify that all files have a size larger than 0.

You can remove any certificate or key by using the clear ssl file command.

Troubleshoot

Use this section to troubleshoot your configuration.

If SSL negotiation fails, use the show ssl statistics command to view useful information about the failed SSL negotiation.

For example, check these fields:

0 Unknown issuer certificates
0 Failed signatures decryptions
0 Invalid issuer keys
0 Not yet valid certificates
0 Expired Client certificates
0 Revoked certificates
0 CRLs not obtained from host
0 CRLs with bad HTTP return codes
0 CRLs not loaded because of low memory
0 CRLs obtained but failed to load
0 CRLs with invalid signatures
0 CRLs successfully loaded
0 Successful server authentications
0 Server authentications failed
0 Expired Server certificates

Related Information

Updated: Dec 21, 2005
Document ID: 47782