11-6
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
11






Configuring

SSL
Using
SSL

Certificates
All
certificates

have

an

expiration

date,

usually

one

year

after

the

certificate

was

issued.

You

can

monitor
certificate
expiration

status

by

goi

ng

to

Monitor

>

Devices

>

context

>

Dashboard.

ANM

issues

a
warning
email

daily

before

the

certificate

expiration

date.

You

est

ablish

how

many

days

before

the
expiration
date

that

the

warning

email

messages

begin

in

the

Threshold

Groups

settings

window,

which
you
can

access

using

either

of

the

following

methods:


Choose

Monitor


>
Alarm
Notifications
>
Thresholds
Groups.


Click
the
Configure

Certificate

Expiry

Threshold

Alarms

button

in

the

Certificates

window
(Config
>

Devices

>

context

>

SSL

>

Certificates).
Note
The
Certificates

window

(Config

>

Devices

>

context

>

SSL

>

Ce

rtificates)

contains

the

Expiry

Date
field,
which

displays

the

certificate

expiration

date.

Due

to

a

known

issue

with

the

ACE

module

and
appliance,
it

is

possible

that

this

field

displays

either

“Null”

or

characters

that

are

unparseable

or
unreadable.
When

this

issue

occurs,

ANM

is

unable

to

track

the

certificate

expiration

date.

If

the
certificate
is

defined

in

a

threshold

group

configured

for

certificate

expiration

alarm

notifications

and
this
issue

occurs,

ANM

may

not

issue

an

expiration

alarm

when

expected

or

it

may

issue

a

false

alarm.
If
you

encounter

this

issue,

remove

the

certificate

from

the

ACE,

reimport

it,

and

then

verify

that

the
correct
expiration

date

displays

in

the

Certificates

window.
For
more

information

about

configuring

the

certificate

expiration

alarm

notification,

see

the
“Configuring
Alarm

Notifications

on

ANM”

section

on

pa

ge

17-57 .
The
ACE

requires

certificates

and

corresponding

key

pairs

for


the

fol

lowing:


SSL
Termination—The

ACE

acts

as

an

SSL

proxy

server

and
terminates
the
SSL

session
between
it
and

t

he

client.

For

SSL

t

ermination,

you

mus

t

obt

ain

a

ser

ver

certificate

and

corresponding

key
pair.


SSL
Initiation—The

ACE

acts

as

a

c
lient

and

initiates

the

SSL

session

between

it

and
the
SSL

server.
For
SSL

i

nitiation,

you

must


obt

ain

a

cl

ient

certificate

and

corresponding

key

pair.
Note
The
ACE

includes

a

preinstalled

sample
certificate
and

corresponding

key

pair.

This

feature

is
available
only
for

the

ACE

module

A2(3.0),

ACE

appliance

A4(1.0),

and

later

releases

of

ei

ther

device

type.
The
certificate

i

s

for

demonstration

pur

poses

onl

y

and

does

not

have

a

valid

domain.

It

i

s

a

self-signed
certificate
with

basic

extensions

named

cisco-sample-cert.

The

key

pair

is

an

RSA

1024-bit

key

pair
named
cisco-sample-key.
You
can

display

the

sample

certificate

and

corresponding

key

pair

files

as

follows:


To
display
the
cisco-sample-cert

file,

choose
Config
>
Devices
>
context
>
SSL
>
Certificates.


To
display

the

cisco-sample-key

file,

choose
Config
>
Devices
>
context
>
SSL
>
Ke
y

s

.
You
can

add

these

files

to

an

SSL-proxy

service

(see

the

“Configuring

SSL

Proxy

Service”

section

on
page
11-27 )

and

are

available

for

use

in

any

context

with

the

filenames

remaining

the

same

in

each
context.
The
ACE

allows

you

to

export

these

files

but

does

not

allow

you

to

import

any

files

with

these

names.
When
you

upgrade

the

ACE

software,

these

files

are

overwritten

with

the

files

provided

in

the

upgrade
image.
You

cannot

use

the

crypto

delete

CLI

command

to

delete

these

files

unless

you

downgrade

the
ACE
software

because

a

software

downgrade

preserves

these

files

as

if

they

were

user-installed

SSL
fil
es.