Installation guide

ManualsBrandsCisco ManualsComputer equipmentExplorer 4700

331

332

333

334

335

336

337

338

339

340

9-7

Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance

OL-26645-02

Chapter 9 Configuring SSL

Using SSL Certificates

Note The ACE supports the creation of a maximum of eight CRLs for any context.

ACE appliances require certificates and corresponding key pairs for:

• SSL termination—The ACE appliance acts as an SSL proxy server and terminates the SSL session

between it and the client. For SSL termination, you must obtain a server certificate and

corresponding key pair.

• SSL initiation—The ACE appliance acts as a client and initiates the SSL session between it and the

SSL server. For SSL initiation, you must obtain a client certificate and corresponding key pair.

The Matching Key column in the Certificates window (Config > Virtual Contexts > context >

Certificates) displays the name of a key pair that ACE Appliance Device Manager was able to match up

with certificate. If ACE Appliance Device Manager cannot detect a matching key pair for a certificate,

it leaves the Matching Key table cell blank. If the number of unmatched certificates and key pairs

exceeds 50, then ACE Appliance Device Manager leaves the entire Matching Key column blank, even

when matching certificates and key pairs exist for the context. When this condition occurs, you can

verify that a certificate and key pair match by using the SSL Setup Sequence feature.

Procedure

Step 1 Choose Config > Virtual Contexts > context > SSL > Setup Sequence.

The Setup Sequence window appears.

Step 2 In the Setup Sequence window, click Configure SSL Polices.

The Configure SSL Policies window appears.

Step 3 From the Certificate drop-down list in the Configure SSL Policies - Basic Settings section, choose a

certificate.

Step 4 From the Keys drop-down list in the Configure SSL Policies - Basic Settings section, choose a key pair.

Step 5 Click Verify Key.

ACE Appliance Device Manager checks to see if the selected certificate and key pair match. A popup

window appears to indicate if the two items match.

Note The ACE includes a preinstalled sample certificate and corresponding key pair. The certificate is for

demonstration purposes only and does not have a valid domain. It is a self-signed certificate with basic

extensions named cisco-sample-cert. The key pair is an RSA 1024-bit key pair named cisco-sample-key.

You can display the sample certificate and corresponding key pair files as follows:

• To display the cisco-sample-cert file, choose Config > Virtual

Contexts > context > SSL > Certificates.

• To display the cisco-sample-key file, choose Config > Virtual Contexts > context > SSL > Keys.

You can add these files to an SSL-proxy service (see the “Configuring SSL Proxy Service” section on

page 9-28) and are available for use in any context with the filenames remaining the same in each

context.