Cisco Cisco Expressway
Appendix 5: Enable AD CS to Issue "Client and Server" Certificates
Note:
The CA component of Microsoft Active Directory Certificate Services (AD CS) must be able to issue a certificate
that can be used for authentication of the Expressway as client or server.
AD CS in Windows Server 2008 Standard R2 (and later) can issue these types of certificates, if you create a
certificate template for them. Earlier versions of Windows Server Standard Edition are not suitable.
certificate template for them. Earlier versions of Windows Server Standard Edition are not suitable.
The default "Web Server" certificate template in AD CS creates a certificate for Server Authentication. The server
certificate for the Expressway also needs Client Authentication if you want to configure a neighbor or traversal zone
with mutual authentication (where TLS verify mode is enabled).
certificate for the Expressway also needs Client Authentication if you want to configure a neighbor or traversal zone
with mutual authentication (where TLS verify mode is enabled).
To set up a certificate template with both Server and Client authentication:
1.
In Windows, launch Server Manager (Start > Administrative Tools > Server Manager).
(Server Manager is a feature included with server editions of Windows.)
2.
Expand the Server Manager navigation tree to Roles > Active Directory Certificate Services > Certificate
Templates (<domain>).
Templates (<domain>).
3.
Right-click on Web Server and select Duplicate Template.
4.
Select Windows Server 2003 Enterprise and click OK.
Cisco Systems, Inc.
32