SSL证书安装指南 - Alteon SSL Accelerator
Using the encryption capabilities of the SSL VPN device requires adding a key and certificate
that conforms to the X.509 standard to the SSL VPN device. If you have more than one SSL
VPN device in a cluster, the key and certificate need only be added to one of the devices. As
with configuration changes, the information is automatically propagated to all other devices in
NOTE – When using an ASA 310-FIPS running in FIPS mode, the private key associated with
a certificate cannot be imported. All private keys must be generated on the HSM card itself due
There are two ways to install a key and certificate into the SSL VPN device:
Copy-and-paste the key/certificate.
Download the key/certificate from a TFTP/FTP server.
The SSL VPN device supports importing certificates and keys in these formats:
PEM
NET
DER
PKCS7 (certificate only)
PKCS8 (keys only, used in WebLogic)
PKCS12 (also known as PFX)
Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the
SSL VPN device, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing
keys from Netscape Enterprise Server or iPlanet Server however, require that you first use
a conversion tool. For more information about the conversion tool, contact Nortel Networks.
When it comes to exporting certificates and keys from the SSL VPN device, you can specify to
save in the PEM, NET, DER, or PKCS12 format when using the export command. If you
choose to use the display command (which requires a copy-and-paste operation), you are
restricted to saving certificates and keys in the PEM format only.
NOTE – When performing a copy-and-paste operation to add a certificate or key, you must
always use the PEM format.
Copy-and-Paste Certificates
The following steps demonstrate how to add a certificate using the copy-and-paste method.
NOTE – If you connect to one of the SSL VPN devices in the cluster by using a console connection, note that HyperTerminal under Microsoft Windows may be slow to complete copyand-paste operations. If your security policy permits enabling Telnet or SSH access to the SSLVPN device, use a Telnet or SSH client and connect to the Management IP address instead.
1. Type the following command from the Main menu prompt to start adding a certificate.
In most cases you should specify the same certificate number as the certificate number you
used when generating the CSR. By doing so, you do not have to add the private key because
this key remains connected to the certificate number that you used when you generated the
CSR.
If you have obtained a key and a certificate by other means than generating a CSR using the
request command on the SSL VPN device, specify a certificate number not used by a configured
certificate before pasting the certificate. If the private key and the certificate are not
contained in the same file, use the key or import command to add the corresponding private
key.
To view basic information about configured certificates, use the /info/certs command.
The information displayed lists all configured certificates by their main attributes.
2. Copy the contents of your certificate file.
Open the certificate file you have received from a CA in a text editor and copy the entire contents.
Make sure the selected text includes the “-----BEGIN CERTIFICATE-----” and
“-----END CERTIFICATE-----” lines.
3. Paste the contents of the certificate file at the command prompt.
Now, paste the certificate at the command line interface prompt, press ENTER to create a new
empty line, and then type “ ... ” (without the quotation marks). Press ENTER again to complete
the installation of the certificate.
>> Main# cfg/ssl/cert
Enter certificate number: (1-) <number of the certificate you want to configure>
>> Certificate 1# cert
Paste the certificate, press Enter to create a new line, and then
type "..." (without the quotation marks) to terminate.
>Your screen output should now resemble the following example:
>> Certificate 1# cert
Paste the certificate, press Enter to create a new line, and then
type "..." (without the quotation marks) to terminate.
> -----BEGIN CERTIFICATE-----
> MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJzZTEO
> MAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9sbTEMMAoGA1UEChMDZG9j
> MQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5jb20xGTAXBgkqhkiG9w0B
> CQEWCnR0dEBjY2MuZG4wHhcNMDAxMjIyMDkxOTI0WhcNMDExMjIyMDkxOTI0WjB9
> MQswCQYDVQQGEwJzZTEOMAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9s
> bTEMMAoGA1UEChMDZG9jMQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5j
> b20xGTAXBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wgZ8wDQYJKoZIhvcNAQEBBQAD
> gY0AMIGJAoGBALXym9cIVfHZUZFE1MFi+xefDviIEvilnJAQSSPITnZa69fzGcL3
> vpQv0NLxNffs1jEw4RPDMKu2rQ9N02EiiJcrCHnaSNZPdwGoX39IkEUkANzm3mh2
> DlP1RfW4ejpNKsG5Tme/e1vFYWXeXXI1oRtdPIaVGxK8pvqBEHDXCcJlAgMBAAGj
> gdswgdgwHQYDVR0OBBYEFJBM3K0KB03fpCOVrQCC34hovwM8MIGoBgNVHSMEgaAw
> gZ2AFJBM3K0KB03fpCOVrQCC34hovwM8oYGBpH8wfTELMAkGA1UEBhMCc2UxDjAM
> BgNVBAgTBWtpc3RhMRIwEAYDVQQHEwlzdG9ja2hvbG0xDDAKBgNVBAoTA2RvYzEN
> MAsGA1UECxMEYmx1ZTESMBAGA1UEAxMJd3d3LmEuY29tMRkwFwYJKoZIhvcNAQkB
> Fgp0dHRAY2NjLmRuggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
> m/GKwEyDKCm2qdPt8+pz1znSGNaRTxfK1R0mjtnDGFb0qk+Bv7d9YlX+1QTZhxnZ
> Z4JXuWPJS36kAwiirVbOIaIforIVa+IUlo8HUjMvxzIqCYPiiDwBcBi3NsvjlFM7
> i24Q+lvDLE/Ko+x/YEnNukfp3SBXiJqZ8WZIvbTCyT4=
> -----END CERTIFICATE-----
> ...
Certificate added.
NOTE – Depending on the type of certificate the CA generates (registered or chain), your certificate may appear substantially different from the one shown above. Be sure to copy and
paste the entire contents of the certificate file.
4. Apply your changes.
If you have used the request command on the SSL VPN device to generate a CSR, and have
specified the same certificate number as the CSR when pasting the contents of the certificate
file, your certificate is now fully installed.
If you have obtained a certificate by other means, however, you must also add the corresponding
private key.
Copy-and-Paste Private Key
1. Type the following command from the Main menu prompt to start adding a private key.
Make sure you specify the same certificate number as when pasting the certificate.
2. Copy the contents of your private key file.
Locate the file containing your private key. Make sure the key file corresponds with the certificate
file you have received from a CA. The public key contained in the certificate works in
concert with the related private key when handling SSL transactions.
Open the key file in a text editor and copy the entire contents. Make sure the selected text
includes the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRIVATE
KEY-----” lines.
3. Paste the contents of the key file at the command prompt.
Now, paste the private key at the command line interface prompt. Press ENTER to create a
new row, and then type “ ... ” (without the quotation marks). Press ENTER again to complete
the installation of the key.
You may be prompted for a password phrase after having completed the paste operation. The
password phrase you are requested to type is the one you specified when creating (or exporting)
the private key.
>> Main# cfg/ssl/cert
Enter certificate number: (1-) <number of the certificate you want to configure>
>> Certificate 1# key
Paste the key, press Enter to create a new line, and then type "..."
(without the quotation marks) to terminate.
>Your screen output should now resemble the following example.
Your certificate and private key is now fully installed and ready to be taken into use by a virtual
SSL server. To view information about configured certificates and SSL servers, use the
/cfg/ssl/cur command.
>> Certificate 1# key
Paste the key, press Enter to create a new line, and then type "..."
(without the quotation marks) to terminate.
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,2C60C89FEB57A853
>
> MbbLDYlwdbNfXUGHFm10nfRlI+KTnx2Bdx750EaG8HSVV7KrtnsNF/Fsz1jFvO/j
> nKhZfs4zsVrsstrVlqfP1uatg19VyJSEug1ZcCamH59Dcy+UNocFWCzR56PHpyZK
> GXX66jS+6twYdiXQk58URIudkmGXGTYMvBRuVjV22ZRLyJk41Az5nA6HiDz6GGs6
> vkCaPFGm263KxmXjy/okNgSJl9QTqJfSq7Eh1cIslBReAE9HXGl0Eubb6gVJu+sR
> mGhS/yGx4vMx98wiMjL37gRtXBfDWlu6u0HOPeJxs6fH05fYzmnpwAHj592TDFds
> Ji5pmrY0NhAeXfuG8mF/T9nEz02ZA8iQGJsaUPfkeBxbZS+umY/R65Okwt1k2RN4
> RlFnmRWqvhHMrHzJuegez/806YazHBv74sOg3KgETRH92z5yvwbgFwmffgb+hai0
> RlRtZgQ4A5kSAFYW37KDq6eJBsZ/m3Que1buMbh8tRxdGpo54+bGqu5b12iLanLn
> Rk57ENQGTgzxOD/1RZIJHqObCY7VDLkK7WZM/LPa0k+bTeAysmZa7fu7gvELJF0i
> vszs3nzm7zT1y0mJ0QX9u9eoW8wpASCAdCC2r2LZt8o9+IWLSZWh5UCIr8qFKGiL
> rUIx8coIhxSpx/PqEV8KhSRV+0taq0N7pJa3TLmO3o80t5966VSFKc3Y35fx9Yk8
> G+RlSzo4CxooY4bCKsfchnJ957SJx5vUyh6jjztnuU4iAfeTVCUdF0LXd+NlQ7T7
> IMFsjjx9SZuuHPZTF0KD/WYLx7FfIFIBHDumu6scraYZOaWaJKI5Pw==
> -----END RSA PRIVATE KEY-----
> ...
Enter pass phrase:
Key added
>> Certificate 1# apply
4. Apply your changes.
Changes applied successfully.
Using TFTP or FTP to Add Certificates and Keys
The following is an example of how to input a certificate into the SSL VPN device using TFTP
or FTP.
1. Put the certificate file and key file on your TFTP/FTP server.
NOTE – You may arrange to include your private key in the certificate file. When the specified
certificate file is retrieved from the TFTP/FTP server, the SSL VPN software will analyze the
contents and automatically add the private key, if present (the screen output displays “Certificate
added” and “Key added” in this case). If the private key is included, you do not have to
perform step 3.
2. Initiate the process of adding a certificate using TFTP or FTP.
Type the command /cfg/ssl/cert and press ENTER. Specify an unused certificate index
number, and then type the command import .
Make sure to specify a certificate number not in use by an existing certificate. To view basic
information about all configured certificates, use the /info/certs command.
Provided the operation was successful, your screen output should resemble the following
example:
>> Main# cfg/ssl/cert
Enter certificate number: (1-) <number of the certificate you want to configure>
>> Certificate 1# import
Select TFTP or FTP (tftp/ftp) [tftp]: <transfer method>
Enter host name or IP address of server: <server host name or IP address>
Enter filename on server: <filename.crt>
Retrieving filename.crt from server
>> Certificate 1# import
Select TFTP or FTP (tftp/ftp) [tftp]: ftp
Enter host name or IP address of server: 192.168.128.58
Enter filename on server: VIP_1.crt
Retrieving VIP_1.crt from 192.168.128.58
Key added.
Certificate added.
3. Add your private key using TFTP or FTP.
Type the command import and press ENTER. Provide the required information. You may be
prompted for a password phrase (if specified when creating or exporting the private key).
Provided the operation was successful, your screen output should resemble the following
example:
Your certificate and private key is now fully installed and ready to be taken into use by a virtual
SSL server. To view basic information about configured certificates and SSL servers, use
the /cfg/ssl/cur command.
>> Certificate 1# import
Select TFTP or FTP (tftp/ftp) [tftp]: <transfer method>
Enter host name or IP address of server: <server host name or IP address>
Enter filename on server: <filename.key>
Retrieving filename.key from server
Enter pass phrase:
>> Certificate 1# import
Select TFTP or FTP (tftp/ftp) [tftp]: ftp
Enter host name or IP address of server: 192.168.128.58
Enter filename on server: VIP_1.key
Retrieving VIP_1.key from 192.168.128.58
Enter pass phrase:
Key added.
4. Apply your changes.
>> Certificate 1# apply
Changes applied successfully.
Update Existing Certificate Whenever you wish to substitute an existing certificate for a new certificate, you should keep the existing certificate until it is verified that the new certificate works as designed. Create a New Certificate 1. Check the certificate numbers currently in use. If e.g. two different certificates exist as Certificate 1 and Certificate 2, create Certificate 3 for your new certificate. 2. Add a certificate with a new certificate number.
3. Add the new certificate according to the instructions as shown above.
4. Apply the new certificate to the desired servers. After you have tested that the new certificate works fine on your SSL servers you may delete the old certificate(s). >> Main# cfg/ssl/ >> SSL# cur >> SSL# cert Enter certificate number: (1-1500) 3 Creating Certificate 3 >> SSL# server Enter virtual server number: (1-256) 1 >> Server 1# ssl >> SSL Settings# cert Current value: 2 Enter certificate number: (1-1500) 3 |
Notes:
These instructions were taken from the "User's Guide for SSL Acceleration - SSL VPN v.4.2" available on the Nortel homepage at the following link