08-17-2009 08:19 PM
I'm trying to migrate SSL certs from a ServerIron 450 to a ServerIron 4G-SSL-PREM. I've managed to copy the files from the ServerIron 450, and verified they work using openssl to test them (and I have the right passphrase for the key). Its when I upload them to the 4G and try to setup a ssl profile I get problems.
From a clean config, (the only things configured is ip, username and scp access) I upload the files to the 4G:
scp mykey.key 192.168.145.1:sslkeypair:mykey.key:PLAINTEXTPASSPHRASEFORKEY:pem
scp mycert.pem 192.168.145.1:sslcert:mycert.pem:pem
These seem to work as I get this output
mycert.pem 100% 1209 1.2KB/s 00:00
Connection to 192.168.145.1 closed by remote host.
I run these command at the configuration prompt:
ssl profile test
but I get an error back after the certificate-file command:
Error : A key pair needs to be configured first before configuring the certificate
If I run a 'show run' after the keypair-file command, I don't see "keypair-file mykey.key" listed in the output. So is it this command failing sliently on me? And is the only way to input the pass phrase via the scp upload command? Is there a command to list the certs and keys in the system as well?
08-18-2009 11:00 AM
I do prefer the WebGUI to copy certificates and key (possible starting with release 11.0) it is much simpler and you do have less trouble doing it via the WebGUI.
I guess something went wrong during the copy process. Check the certs and keys available at the ServerIron 4G via:
# rconsole 1 1
1/1# show ssl key *
OUTPUT containing all keys
1/1# show ssl cert *
OUTPUT containing all certs
You posted this one to the wrong community section initially - be careful because this delays our responses.
Have you tried to get the key and cert back from the 4G again to see if they are there: It is possible to try to download them just to check whether they are there are not.
Ensure that the passphrase is correct - this should be possible using OpenSSL.
08-18-2009 11:04 AM
A good document to look at beside the release notes of 9.5.02 and the security guide in later releases:
My 2 Cents...
08-18-2009 07:39 PM
Listing the ssl keys shows no keys to be on the 4G.
I've checked the pass phrase for the key with 'openssl rsa -inform PEM -in mykey.key -noout -check -text' and I get a 'RSA key ok'
The keys' header is
-----BEGIN RSA PRIVATE KEY-----
First time I tried to upload the key from a rebooted and clean config, I got an error in the serveriron console of "Error : Could not read private key from imported file ssl_keys.pem", and the key is still not there.
show ssl debug gives:
Library Description : count
DigEnv bad decrypt : 1
PEM bad decrypt : 1
which is odd, as the pass phrase works.
As a test, I generated a key on the 4G, exported it, deleted it, and reimported it with success. Which then leads me to think: is there any difference between the 450 and 4G-SSL-PREM for ssl implementation, to the point I can't transfer the keys across? Following the SSL PDF hasn't help (and can't get to the 9.5 release docs yet).
08-18-2009 10:59 PM
This sounds for sure like a problem for a ticket but I know you do not have any support right now. The SSL stuff at the 4G is the same as the stuff at the WSM6-SSL modules (which are inside the 350/450 and 850). I hope you have used the same code at the 450 because there is still a possibility that this is a bug. I do remember a ticket in the past talking about problem with the key upload as long as the passphrase had upper characters in it.
Could you try to change the passphrase using openssl and use something lower case which is simple like passphras3 or so?
08-19-2009 12:05 AM
thanks a lot oadam, yes this is a bug in the 4G firmware 9.5 that upper case in the pass phrase does not allow the file to be uploaded. I re-encrypted the key with a lower case (and numbers) pass phrase, and the key was successfully uploaded. I successfully made a ssl profile, terminated the ssl on the 4G, made a test web site, and the certificate shows up in the browser, and I get the website through ssl. So the config that was on the 450 works fine on the 4G for the ssl.