beautypg.com

Step 2: enable certificate chain – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 136

background image

124

Brocade Virtual ADX Security Guide

53-1003250-01

Configuring SSL on a Brocade Virtual ADX

6

Symptom: The wrong format was specified when uploading the certificate. For example, the
certificate was obtained in DER format but uploaded in PEM format.
Solution: Display the certificate using the CLI to make sure it is readable.

Symptom: The certificate is chained but "enable-certificate-chaining" command is not enabled
under the SSL profile
Solution: If chained certificates are used then "enable-certificate-chaining" command is
required under SSL profile definition. The chaining is disabled by default to improve system
performance.

Symptom: Certificate is signed by Verisign, but it is shown as expired when the client tries to
connect to the Brocade Virtual ADX. This usually occurs if the client browser has an expired
copy of the intermediate CA certificate.
Solution: Refer to the following URL from Verisign Web site. Download the current copy of
intermediate CA certificate and either replace the expired copy on client browser with the new
copy or append the intermediate CA certificate to the server certificate on the Brocade Virtual
ADX.

http://knowledge.verisign.com/search/solution.jsp?id=vs5781

Perform steps 1 and 2 in the following sections to append intermediate CA certificates to
server certificates.

Step 1: Import server certificate and intermediate CA certificates

To chain SSL certificates, follow these steps:

1. Import the server certificate using the following command:

scp -1 /home/rr/server.crt [email protected]:sslcert:chain2cert:pem

2. Import the intermediate CA certificate using the following command:

scp -1 /home/rr/inter.crt [email protected]:sslcert:chain2cert:pem

NOTE

In this example, server.crt is issued by intermediate CA. The inter.crt is the intermediate CA
certificate.

NOTE

The order is important. The server certificate should be imported before the intermediate CA
certificate.

NOTE

The same file name should be used (chain2cert in this example) when importing both the server and
intermediate CA certificate.

Step 2: Enable Certificate Chain

By default, for CA signed certificates, the Brocade Virtual ADX does not send the entire certificate
chain when presenting the certificate to the client.

To enable the Brocade Virtual ADX to send the entire certificate chain configure the
enable-certificate-chaining command within an SSL profile as described in

“Enabling a certificate

chain”

on page 130.

See also other documents in the category Brocade Computer Accessories: