Installation guide
9-29
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 9 Configuring SSL
Configuring SSL Proxy Service
Note If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 9-5.
The cisco-sample-key option is available for the sample key pair. For information about this sample key
pair, see the “Using SSL Certificates” section on page 9-6.
Step 5 In the Certificates field, select the certificate that the ACE appliance is to use during the SSL handshake
to prove its identity.
Caution When choosing the certificate from the drop-down list, be sure to choose the certificate that
corresponds to the keys that you choose.
Note If you use SSL Setup Sequence to create the proxy service, ACE appliance Device Manager
selects the keys that correspond to the certificate that you choose. If ACE appliance Device
Manager cannot detect a corresponding key pair, you can select a key pair from the drop-down
list and click Verify Key to have ACE appliance Device Manager verify that the keys correspond
to the selected certificate. ACE appliance Device Manager displays a message to let you know
that your key pair selection either matches or does not match the selected certificate. For more
information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 9-5.
The cisco-sample-cert option is available for the sample certificate. For information on this sample
certificate, see the “Using SSL Certificates” section on page 9-6.
Step 6 In the Chain Groups field, select the chain group that the ACE appliance is to use during the SSL
handshake.
Step 7 For the Auth Groups field, perform either of the following:
• Select N/A when authentication is not applicable for this proxy service. Then, proceed to Step 11.
• Select the auth group name that the ACE is to use during the SSL handshake. To create an auth
group, see Configuring SSL Authentication Groups, page 9-32.
Step 8 Check the CRL Best-Effort check box to allow the ACE appliance to search client certificates for the
service to determine if it contains a CRL in the extension. The ACE appliance then retrieves the value,
if it exists.
Clear the check box to display the CRL name field to select the CRL name.
Step 9 For the CRL Name field, perform either of the following:
• Select N/A when the CRL name is not applicable.
• Select the CRL name that the ACE used for authentication.
Step 10 Check the OCSP Best-Effort check box to allow the ACE appliance to extract the extension to find the
OCSP server information from the certificate itself where, from the revocation status, information about
the certificate could be obtained. If this extension is missing from the certificate and the best effort
OCSP server information is configured with the SSL proxy, the cert is considered revoked.
Clear the check box to display the OCSP server field to select the available OCSP server.