Please follow these instructions to install your SSL certificate on Cisco Content Services Switch (CSS) 11500:
1. Once you received your SSL certificate by e-mail, please copy and paste it into a text file (with Notepad or Wordpad) and save the file with the .pem extension. (Include the tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
2. Issue the copy ssl command to facilitate the import or export of certificates and private keys from or to the CSS. The CSS stores all imported files in a secure location on the CSS. This command is available only in SuperUser mode.
CSS11500(config)# copy ssl sftp ssl_record import mychainedrsacert.pem PEM “passwd123”
3. Issue the ssl associate cert command to associate a certificate name to the imported certificate.
CSS11500(config)# ssl associate cert mychainedrsacert1 mychainedrsacert.pem
4. Issue the ssl-proxy-list command to create an SSL proxy list. An SSL proxy list is a group of related virtual or backend SSL servers that are associated with an SSL service. The SSL proxy list contains all the configuration information for each virtual SSL Server. This includes the SSL Server creation, certificates and corresponding SSL key pair, Virtual IP (VIP) address and port, SSL ciphers supported, and other SSL options.
CSS11500(config)# ssl-proxy-list ssl_list1
Create ssl-list <ssl_list1>, [y/n]: y
5. Once you create an SSL proxy list, the CLI enters you into the ssl-proxy-list configuration mode. Configure your SSL server as shown below.
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 vip address 192.168.3.6
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsacert mychainedrsacert1
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 rsakey myrsakey1
CSS11500(ssl-proxy-list[ssl_list1])# ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.11.2 80 5
CSS11500(ssl-proxy-list[ssl_list1])# active
6. Once the SSL proxy list is activated, a service and content rule need to be configured to allow the CSS to send SSL traffic to the SSL module. This table provides an overview of the steps required to create an SSL service for a virtual SSL server, including adding the SSL proxy list to the service and creating an SSL content rule.
Create an SSL service
CSS11500(config)# service ssl_serv1Create service <ssl_serv1>
[y/n]: y
CSS11500(config-service[ssl_serv1])# type ssl-accel
CSS11500(config-service[ssl_serv1])# slot 2
CSS11500(config-service[ssl_serv1])# keepalive type none
CSS11500(config-service[ssl_serv1])# add ssl-proxy-list ssl_list1
CSS11500(config-service[ssl_serv1])# active
Create an SSL content rule
CSS11500(config)# owner ssl_owner
Create owner <ssl_owner>, [y/n]: y
CSS11500(config-owner[ssl_owner])# content ssl_rule1
Create content <ssl_rule1>, [y/n]: y
CSS11500(config-owner-content[ssl-rule1]# vip address 192.168.3.6
CSS11500(config-owner-content[ssl-rule1]# port 443
CSS11500(config-owner-content[ssl_rule1])# add service ssl_serv1
CSS11500(config-owner-content[ssl_rule1])# active
Create a clear text content rule
CSS11500(config-owner[ssl_owner])# content decrypted_www
Create content <decrypted_www>, [y/n]: y
CSS11500(config-owner-content[decrypted_www]# vip address 192.168.11.2
CSS11500(config-owner-content[decrypted_www]# port 80
CSS11500(config-owner-content[decrypted_www])# add service linux_http
CSS11500(config-owner-content[decrypted_www])# add service win2k_http
CSS11500(config-owner-content[decrypted_www])# active
At this point, client HTTPS traffic can be sent to the CSS at 192.168.3.6:443. The CSS decrypts the HTTPS traffic, converting it to HTTP.
For further information, please have a look at the official guide.