Appendix F SSL Introduction
Cisco SSL Configuration Components
F-10
Cisco 11000 Series Secure Content Accelerator Configuration Guide
78-13124-06
Chained Certificates
Chained certificates are used in certain circumstances such as when a known,
trusted CA (such as Thawte or VeriSign) provides a certificate to attest that
certificates created by an intermediary CA can be trusted. For example, a company
can create its own certificates for internal use only; however, clients do not accept
the certificates because they were not created by a known CA. When private
certificates are chained with the trusted CA certificate, clients accept them during
SSL negotiations.
The certificate created locally is loaded into the device as a regular certificate; the
locally created public/private key pair is loaded into the device as a key. The
intermediary CA certificate signed by a trusted CA and any other intermediary
certificates are loaded as individual certificate objects that are combined into a
certificate group. An example of configuring a chained certificate via the
configuration manager is presented in Chapter 4. See Chapter 5 for information
about creating and enabling chained certificates using the GUI.
Security Policies
Cisco Secure Content Accelerator can process a wide range of single and
composite cryptography schemes. The following table shows a comparison of the
individual schemes. If you configure the device to use the weak security policy,
all schemes marked as “weak” are used. If you use the strong security policy, all
schemes marked as “strong” are used. The “default” security policy uses the
encryption and message authentication methods commonly available. The “all”
security policy incorporates all listed combinations.
Table F-1
Secure Content Accelerator Cryptographic Algorithms
Cryptographic Scheme
Encryption
Message
Authentication
Key
Exchange
Security
Policy
Assignments
ARC4-MD5
ARC4
1
(128)
MD5
RSA (1024)
strong, default, all
ARC4-SHA
ARC4
1
(128)
SHA1
RSA (1024)
strong, default, all
DES-CBC3-MD5
3DES (168)
MD5
RSA (1024)
strong, all
DES-CBC3-SHA
3DES (168)
SHA1
RSA (1024)
strong, fips, all