Catalyst 6500 Series SSL Services Module Configuration Note, 3.1
Testing SSL Proxy Services
Downloads: This chapterpdf (PDF - 203.0KB) The complete bookPDF (PDF - 5.09MB) | Feedback

Testing SSL Proxy Services

Table Of Contents

Testing SSL Proxy Services

Generating a Self-Signed Certificate

Importing the Embedded Test Certificate


Testing SSL Proxy Services


You can test or troubleshoot SSL proxy services by doing one of the following:

Generating a Self-Signed Certificate

Importing the Embedded Test Certificate

Generating a Self-Signed Certificate

You can generate multiple self-signed certificates for testing SSL proxy services, specifying the key label and the subject name, by entering the test crypto pki self command. You must generate a key pair with a label before you generate the self-signed certificate. See the "Generating RSA Key Pairs" section for details on generating key pairs.

After you enter the test crypto pki self command, you are prompted for the key pair label and the subject name of the certificate. A trustpoint with the key pair label as the trustpoint name is automatically created, and the hexadecimal dump of the self-signed certificate displays on the console. You can then assign the trustpoint to a proxy service for testing. You can repeat the procedure after reboot if necessary. The certificate is stored in memory only and cannot be saved in NVRAM as part of the configuration.


Note You cannot save the self-signed certificates as part of the configuration.



Note You can assign a generated self-signed certificate to a proxy service, but you cannot assign an imported self-signed certificate to a proxy service because you cannot import the key pair of the certificate authority that signed the imported certificate.



Note The show crypto ca certificate command does not display the self-signed certificates.


To generate a self-signed certificate and assign a trustpoint to the proxy service, perform this task:

 
Command
Purpose

Step 1 

ssl-proxy# test crypto pki self

Generates a self-signed certificate.

Note After you enter this command, you are prompted for the subject name (using the LDAP format) and key pair name.

Step 2 

ssl-proxy# show crypto ca 
trustpoint label

Displays information for the trustpoint.

Step 3 

ssl-proxy# configure terminal

Enters configuration mode, selecting the terminal option.

Step 4 

ssl-proxy(config)# ssl-proxy 
context name

Enters the SSL context subcommand mode. Use the optional SSL context name to specify an SSL virtualization instance. The context name is case-sensitive.

Step 5 

ssl-proxy(config-context)# 
service service_name

Defines the name of the SSL proxy service.

Note The service-name is case-sensitive.

Step 6 

ssl-proxy(config-ctx-ssl-proxy)# 
certificate rsa general-purpose 
trustpoint trustpoint_label

Assigns a trustpoint to a proxy service.

Step 7 

ssl-proxy(config-ctx-ssl-proxy)# 
end

Exits configuration mode.

Step 8 

ssl-proxy# show ssl-proxy service 
service-name

Displays the key pair and the serial number of the certificate chain used for a specified proxy service.


Note If the trustpoint already exists, it might be replaced by the test certificate. We recommend that you generate a unique key pair for the test certificate.


This example shows how to generate a key pair, generate a self-signed certificate, and assign the certificate to a proxy service:

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# crypto key generate rsa general-keys label k1 modulus 1024
The name for the keys will be:k1

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]

ssl-proxy(config)# end
ssl-proxy#
*Mar 20 14:34:01.543:%SYS-5-CONFIG_I:Configured from console by console
ssl-proxy#
ssl-proxy# test crypto pki self
Enter subject name for certificate
CN=testhost.my.com, O=lab, OU=testgroup
Enter name of key to be used
k1
ssl-proxy# 
     30 82 02 06 30 82 01 6F 02 20 45 32 30 38 39 32 
     45 37 38 31 42 41 46 45 45 45 44 45 37 37 41 36 
     43 41 44 37 44 43 45 38 34 37 30 0D 06 09 2A 86 
     48 86 F7 0D 01 01 04 05 00 30 3C 31 12 30 10 06 
     03 55 04 0B 13 09 74 65 73 74 67 72 6F 75 70 31 
     0C 30 0A 06 03 55 04 0A 13 03 6C 61 62 31 18 30 
     16 06 03 55 04 03 13 0F 74 65 73 74 68 6F 73 74 
     2E 6D 79 2E 63 6F 6D 30 1E 17 0D 30 33 30 33 32 
     30 31 34 33 35 30 30 5A 17 0D 31 33 30 33 31 37 
     31 34 33 35 30 30 5A 30 3C 31 12 30 10 06 03 55 
     04 0B 13 09 74 65 73 74 67 72 6F 75 70 31 0C 30 
     0A 06 03 55 04 0A 13 03 6C 61 62 31 18 30 16 06 
     03 55 04 03 13 0F 74 65 73 74 68 6F 73 74 2E 6D 
     79 2E 63 6F 6D 30 81 9F 30 0D 06 09 2A 86 48 86 
     F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 
     81 00 EC 21 35 B5 0E BF 9C 1C 71 05 05 B2 8A 47 
     C8 F9 13 6C 5A 14 77 63 BD 0C B7 D3 35 6A DB B8 
     0F C2 D2 39 A8 62 67 EE CB BC 8D 5E F8 C2 1E 8E 
     D6 39 62 07 B4 64 20 D8 29 25 1E 9E 06 C8 F8 F9 
     A6 29 05 19 CC D9 00 E9 2D 96 6D CE CA E0 D7 BF 
     DC 9D 1B 7E 71 C1 D7 3F 25 28 41 5A F9 FB 98 66 
     B9 A7 81 18 79 71 2A AC 55 F8 CC A4 4A 90 35 A7 
     E9 BD 79 66 BC 5B C5 98 16 B0 63 5B D3 6E 85 65 
     42 1B 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 
     0D 01 01 04 05 00 03 81 81 00 A3 93 7A E6 60 54 
     8C 3A FF 6A 72 A8 1F 4B AD 79 53 C4 37 DF C4 D4 
     F9 F4 58 3C E4 D8 BE FF BB C5 F9 CD B0 20 7F 3D 
     0E B5 11 8E FA 33 02 9E 5E 52 36 4D 0F AB 21 41 
     97 A4 2D 94 4D DF D2 A0 B4 DE B0 2E 1C BA 16 A9 
     4C 28 34 72 8E D5 82 F6 B6 B2 D6 4E B5 1A F0 BB 
     6B 65 E7 85 52 72 9F 9C BC A7 D9 B4 79 AB 6B C2 
     DC FD AD 02 D3 28 87 CD 06 8B 11 3C 22 85 28 1B 
     DC 04 05 8D 4F 1D 07 8D D0 BC                   

ssl-proxy# show crypto ca trustpoint k1
Trustpoint k1:
    Subject Name:
    CN = testhost.my.com
     O = lab
     OU = testgroup
          Serial Number:4532303839324537383142414645454544453737413643414437444345383437
    Application generated trust point

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service ser1
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general trustpoint k1
ssl-proxy(config-ctx-ssl-proxy)#
*Mar 20 14:36:09.567:%STE-6-PKI_SERVER_CERT_INSTALL:Proxy:ser1, Trustpoint:k1, Key:k1,
Serial#:4532303839324537383142414645454544453737413643414437444345383437, Index:3
ssl-proxy(config-ctx-ssl-proxy)# end
ssl-proxy#
*Mar 20 14:36:16.363:%SYS-5-CONFIG_I:Configured from console by console
ssl-proxy#
ssl-proxy# show ssl-proxy service ser1
Service id:2, bound_service_id:258
Virtual IP address not configured
Server IP address not configured
rsa-general-purpose certificate trustpoint:k1 
  Certificate chain for new connections:
    Server Certificate:
       Key Label:k1
       Serial Number:4532303839324537383142414645454544453737413643414437444345383437
       Self-signed
Certificate chain complete 
Admin Status:down
Operation Status:down
ssl-proxy#

Importing the Embedded Test Certificate

A test PKCS12 file (test/testssl.p12) is embedded in the SSL software on the module. You can install the file into NVRAM for testing purposes and for proof of concept. After you install the PKCS12 file, you can import it to a trustpoint and then assign it to a proxy service that is configured for testing.

To install and import the test file, perform this task:

 
Command
Purpose

Step 1 

ssl-proxy# test ssl-proxy 
certificate install 

Installs the test PKCS12 file to NVRAM.

Step 2 

ssl-proxy(config)# crypto ca 
import trustpoint_label pkcs12 
nvram:test/testssl.p12 passphrase

Imports the test PKCS12 file to the module.

Note For the test certificate, the passphrase is cisco.

Step 3 

ssl-proxy(config)# ssl-proxy 
context name

Enters the SSL context subcommand mode. Use the optional SSL context name to specify an SSL virtualization instance. The context name is case-sensitive.

Step 4 

ssl-proxy(config-context)# 
service test_name 

Defines the name of the test proxy service.

Step 5 

ssl-proxy(config-ctx-ssl-proxy)# 
certificate rsa general-purpose 
trustpoint trustpoint_label

Assigns a trustpoint to a proxy service.

Step 6 

ssl-proxy(config-ctx-ssl-proxy)# 
end

Exits configuration mode.

Step 7 

ssl-proxy# show ssl-proxy stats 
test_service

Displays test statistics information.

This example shows how to import the test PKCS12 file:

ssl-proxy# test ssl-proxy certificate install
% Opening file, please wait ...
% Writing, please wait ............
% Please use the following config command to import the file.
  "crypto ca import <trustpoint-name> pkcs12 nvram:test/testssl.p12 cisco"
% Then you can assign the trustpoint to a proxy service for testing.
*Nov 18 22:59:06.331:%STE-6-PKI_TEST_CERT_INSTALL:Test key and certificate was installed 
into NVRAM in a PKCS#12 file.

ssl-proxy# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ssl-proxy(config)# crypto ca import test-tp pkcs12 nvram:test/testssl.p12 cisco
Source filename [test/testssl.p12]?
CRYPTO_PKI:Imported PKCS12 file successfully.
ssl-proxy(config)#
*Nov 18 23:05:48.699:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.
ssl-proxy(config)# ssl-proxy context Default
ssl-proxy(config-context)# service test-service
ssl-proxy(config-ctx-ssl-proxy)# certificate rsa general-purpose trustpoint test-tp
ssl-proxy(config-ctx-ssl-proxy)# end
ssl-proxy#