Easiest way to request an ACE Certificate

There are a variety of different ways to generate a CSR, request a certificate and import that cert into the ACE. I’ve found the easiest way to do this is through the console. No need to set up an FTP/TFTP server, just copy and paste. This is a pre-requisite to SSL-proxying on the ACE.

  • Create your CSR parameters.

CSR parameters are what will be pre-populated in your certificate request. The most important of these is the “common-name” which will be the domain your certificate is assigned to.

  1. Define csr-params 
crypto csr-params MY-PARAM
  country US
  state NY
  locality City
  organization-name Acme
  common-name example.domain.com
  serial-number 1000

There are other csr-parameters you can define if needed:

switch/Context1(config-csr-params)# ?
Configure CSR parameters:
common-name  Configure organization's common name (required parameter)
country      Configure country code (required parameter)
email        Configure email address
locality     Configure locality name
organization-name  Configure organization name
organization-unit  Configure organization unit's name
serial-number      Configure serial number
state              Configure state name (required parameter)

2. Define cipher set

Your cipher set defines the level of encryption for your site. Some clients require a specific level of encryption, while others do not. Perhaps you need to comply with some business certification (SAS70, SOX, etc.) that controls the overall level of your ciphers. Check with your business or clients for what to define this as.

The session-cache timeout is pretty self explanatory. Some users want it longer than the default. It’s good to define this so when users ask you can always check the config.

parameter-map type ssl CIPHER
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_AES_128_CBC_SHA
  cipher RSA_WITH_AES_256_CBC_SHA
  session-cache timeout 600

3. Generate your RSA key pair.

switch/Context1# crypto generate key 2048 MYKEY

I always choose a 2048 bit key because many certificate authorities require at least a 2048 bit key. For many CA’s, 1024 used to be the minimum but many have moved up to 2048.

4. Generate your CSR.

switch/Context1# crypto generate csr MY-PARAM MYKEY
-----BEGIN CERTIFICATE REQUEST-----
MIICeTCCAWECAQAwNDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMRgwFgYDVQQD
Ew90ZXN0LmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC0ArGUgdcqwgCEZNREvPGOL+rEzZBmoQN/rE+Nawr0KpMIFzcPEV2Bli9hTUuk
j9L0Q/I2VyuFFHUvlIcf+ZO8gS764sPkodKAWjrWKgvK8zAwlJih02cl//mn8zWO
HRJ30LxAXRXsbbMH1sBLwZIusIJcBDqbmAyhbmvAxFco5TzQ3D+RbBXVNPw7u/cv
NM6DH2S60CgCorbU+5AxWY0vPAUOpBrae9nRPqnEe6w2/khzRW6w/HjEPciQrHbj
qV07e071UUsxh`XJegL92SaZV2J4Kl746CheA1rAchncx2NHS4bJUfgsnyztMLus
A6G2/kxK/R0EAUwUeBB6tzYBAgMBAAGcADANBgkqhkiG9w0BAQQFAAOCAQEAR12z
KBmONU/qujbhaz/2jWMDTAq2JXvX+WjgIxKNLAn45tkkOFnmnUVQLCegDfH5/roO
AIEX539TnpJfKaFQPmV7Xdq/GX/Xn/5OJkpXhQ7nQF0nhGSh8ZAazn2sCOpvQ9aQ
jsnBJVr9VrLEgGWuthIc+lUCHaXSLWj8QOSVxhcTNtlpFIfIShniy9AbFDDwRefU
J4hH9A+SGRBSF+JDzN25E+KGkEpBkPl+yot8xzWxQSO9ADN2ZBEauE7vrPy8KeJv
Rsm/3TjJQncFkgXS6NH5CL0S25dyrKSGhwG0GTVWORKiSZAyF/jxdoD+Q0C/AHvg
gsqLVoC8xg4OmM+AqA==
-----END CERTIFICATE REQUEST-----

You will be presented with the CSR. If you are using putty this is easy. Just select everything from BEGIN to END and paste into a plain-text file. Name it MYCSR.csr or whatever relates to what you are requesting.

5. Submit your CSR to a CA (godaddy, comodo, etc.)

6. Once your certificate request has been approved you should get an email or ZIP file containing three things:

  • Root certificate
  • Intermediate certificate
  • Your certificate

7. Import root, intermediate and your certificate. Again the easiest way to do this is in putty.

  • Open your root certificate in notepad. Copy it.
switch/Context1# crypto import terminal ROOT-CERT

Paste the cert.

  • Open your intermediate certificate in notepad. Copy it.
switch/Context1# crypto import terminal INTERMEDIATE-CERT

Paste the cert.

  • Open your server certificate in notepad. Copy it.
switch/Context1# crypto import terminal My-CERT-20xx

Paste the cert.

8. Now that all your certificates are imported, you’ll want to create a chaingroup with root and intermediate certs.

crypto chaingroup MYCHAIN
  cert INTERMEDIATE-CERT
  cert ROOT-CERT

9. Verify that your certificates are stored on the ACE correctly.

switch/Context1# sh crypto files
Filename              File File Expor Key/
                      Size Type table Cert
-----------------------------------------------------------------------
INTERMEDIATE-CERT     1509 PEM  Yes   CERT
MYKEY                 1679 PEM  Yes   KEY
ROOT-CA-CERT          1740 PEM  Yes   CERT
My-CERT-2012          2045 PEM  Yes   CERT
cisco-sample-cert     1082 PEM  Yes   CERT
cisco-sample-key      887  PEM  Yes   KEY

Now your certificates are on the ACE! All you need to do now is set up a proxy service.

Advertisements
Easiest way to request an ACE Certificate

One thought on “Easiest way to request an ACE Certificate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s