11-28
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
11






Configuring

SSL
Configuring
SSL

Proxy

Service
Certificates
Certificate
that

the

ACE

is

to

use

during

the

SSL

handshake

to

prove

its

identity.
Caution
When
choosing

the

certificate

from

the

drop-down

list,

be

sure

to

choose

the

certificate
that
corresponds

to

the

keys

that

you

choose.
Note
If
you

use
SSL
Setup

Sequence

to

create

the

proxy
service,

ANM

selects

the

keys

that
correspond
t

o

the

certificate

t

hat

you

choose.

If

ANM

cannot

detect

a

co

rresponding

key
pair,
you

can

select

a

key

pair

from

the

drop-down

list

and

click

Verify

Key

to

have

ANM
verify
that

the

keys

correspond

to

the

selected

certificate.

ANM

displays

a

message

to

let
you
know

that

your

key

pair

selection

either

matches

or

does

not

match

the

selected
certificate.
For

more

information

about

SSL

Setup

Sequence,

see

the

“SSL

Setup
Sequence”
section

on

page

11-4 .
The
cisco-sample-cert

option

is

available

only

for

the

ACE

module

A2(3.0),

ACE

appliance
A4(1.0),
and

later

releases

of

either

device

type.

For

information

about

this

sample

certificate,

see
the
“Using

SSL

Certificates”

section

on

pa

ge

11-5 .
Chain
Groups
Chain
group

that

the

ACE

is

to

use

during

the

SSL

handshake.

To

create

a

chain

group,

see

the
“Configuring
SSL

Chain

Group

Parameters”

section

on

page

11-23 .
Auth
Groups
Authorization
group

name

that

the

ACE

is

to

use

during

the

SSL

handshake.

To

create

an
authorization
group,

see

the

“Configuring

SSL

Authentication

Groups”

section

on

page

11-31 .
CRL
Best-Effort
Field
that

displays

only

when

Auth

Groups
is
selected.
Allows
ANM

to

search

client
certificates
for
the

service

to

determine

if

it

contains

a

CRL

in

the

extension.

ANM

then

retrieves

the

value,

if
it
exists.
CRL
Name
Field
that

di

splays

only

when

Auth

Groups
is
selected.
Do
one

of

the

following:


Choose
N/A
when

the

CRL

name

is
not
applicable.


Choose
the

CRL

name

that

the

ACE

used

for
authentication.
OCSP
Best-Effort
Field
that

displays

for

ACE

module

or

appliance

software

Version

A5(1.0)

or

later,

and

when

Auth
Groups
is

selected.

Check

the

OCSP

Best-Effort

checkbox

to

allow

the

ACE

appliance

to

extract
the
extension

to

find

the

OCSP

server

information

from

the

certificate

itself

where,

from

the
revocation
status,

information

about

the

certificate

could

be

obtained.

If

this

extension

is

missing
from
the

certificate

and

the

best

effort

OCSP

server

information

is

configured

with

the

SSL

proxy,
the
cert

i

s

considered

revoked.
Uncheck
the

checkbox

to

display

the

OCSP

server

field

to

choose

the

available

OCSP

server.
OCSP
Servers
Field
that

displays

for

ACE

module

or

appliance

software

Version

A5(1.0)

or

later,

and

when

the
OCSP
Best-Effort

checkbox

is

unchecked.

Choose

the

available

OCSP

server.
Table
11-13
SSL
Proxy

Service

Attributes

(continued)
Field
Description