SSL certificate requirements
Riverbed products require SSL certificates to follow ITU-T standard X.509 and base-64 encoding of DER with header and footer lines. This is generally referred to as PEM format.
Riverbed products require an unencrypted private key in a PKCS#8 format encoded in the PEM format. Encrypted private keys and binary-encoded private keys (including PKCS#12) are not accepted. If your Certificate Authority issues the PKCS#12 file, you will need to convert it to the PEM format.
The Local Credential section expects:
-----BEGIN CERTIFICATE-----
Base-64 encoded certificate
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
Base-64 encoded private key
-----END PRIVATE KEY-----
Additionally, the certificates and keys must meet the minimum requirements of the operational security mode. If the certificates do not comply with FIPS 140-3 requirements when the appliance is switched into FIPS 140-3 Compatible Cryptography mode, they will automatically be replaced by the default certificates.
The key and certificate requirements are as follows:
-
FIPS Compatible Cryptology mode:
-
-
SSH: 1024 bit or more RSA or DSA
-
SSL: X.509 certificate, 1024 bit or more RSA or DSA, signed with SHA1 or higher
-
-
Not in FIPS Compatible Cryptology mode (minimum requirements):
-
-
SSH: 512 bit or more RSA or DSA
-
SSL: X.509 certificate, 512 bit or more RSA or DSA, any signature
-
-
The default values are:
-
-
SSH: 2048 bit RSA
-
SSL: X.509 certificate, 2048 bit RSA, SHA512 signature
-