[f-nsp] problems binding new key and cert on ADX

Jonas Frey (Probe Networks) jf at probe-networks.de
Mon Nov 9 11:19:29 EST 2015 

Hi Jethro,

first of all: 12.5.01g is really old and is vulnerable to POODLE and a
few others. You really want to update this.

I assume you combined the intermediate cert into the regular cert file?
This will not work.

You need to use:

ssl profile www.something.com
 keypair-file yourkey.key
 certificate-file yourcert.crt
 ca-cert-file your-cert-ca-chain.crt
 enable-certificate-chaining


Cheers,
Jonas



Am Montag, den 09.11.2015, 16:05 +0000 schrieb Jethro R Binks:
> Hi,
> 
> I'm banging my head against a wall here and looking for some help.
> 
> One virtual service is having a cert change due to expiry, and I've got 
> the .pfx as exported from Windows.  I have extracted the key and cert from 
> this.  I have the intermediate and root certs.
> 
> I can upload all, the key to the keyfile, and the host cert then the 
> intermediate to the cert file using scp.  Done this some number of times 
> in the past routinely.
> 
> I can use the show commands to view the cert chain, and see the host's 
> cert plus the intermediate.
> 
> However what I can't do is the actual bind of the cert into the ssl 
> profile:
> 
> SSH at sender(config)#ssl profile tcnemo-toclients
> SSH at sender(config-ssl-profile-tcnemo-toclients)#keypair-file tcnemo_2015.key
> SSH at sender(config-ssl-profile-tcnemo-toclients)#certificate-file tcnemo_chain_2015.crt
> SSH at sender(config-ssl-profile-tcnemo-toclients)#Error key and certificate mismatch 
> Please delete the key and re-add the right key and certificate
> SSL profile : tcnemo-toclients
> Certificate file : \usb0\certstor\tcnemo_chain_2015.crt.cert
> Key file : \usb0\certstor\tcnemo_2015.key.key
> 
> The only help I can get from Dr Google is the suggestion from the 
> documentation that this key does not match the certificate.  But both came 
> from the exported PFX, and I've verified them manually in various ways.  
> Now totally stuck as to what to do next (and time is ticking for the 
> previous cert expiry :).
> 
> Anyone any ideas?
> 
> ADX 12.5.01g
> 
> Jethro.
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> Jethro R Binks, Network Manager,
> Information Services Directorate, University Of Strathclyde, Glasgow, UK
> 
> The University of Strathclyde is a charitable body, registered in
> Scotland, number SC015263.
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20151109/0a05e02f/attachment.sig>

More information about the foundry-nsp mailing list