Cisco Cisco Expressway
Loading certificates and keys onto Expressway
The Expressway uses standard X.509 certificates. The certificate information must be supplied to the
Expressway in PEM format. Typically 3 elements are loaded:
Expressway in PEM format. Typically 3 elements are loaded:
n
The server certificate (which is generated by the certificate authority, identifying the ID of the certificate
holder, and should be able to act as both a client and server certificate).
holder, and should be able to act as both a client and server certificate).
n
The private key (used to sign data sent to the client, and decrypt data sent from the client, encrypted with
the public key in the server certificate). This must only be kept on the Expressway and backed up in a safe
place – security of the TLS communications relies upon this being kept secret.
the public key in the server certificate). This must only be kept on the Expressway and backed up in a safe
place – security of the TLS communications relies upon this being kept secret.
n
A list of certificates of trusted certificate authorities.
Note: New installations of Expressway software (from X8.1 onwards) ship with a temporary trusted CA, and
a server certificate issued by that temporary CA. We strongly recommend that you replace the server
certificate with one generated by a trusted certificate authority, and that you install CA certificates for the
authorities that you trust.
a server certificate issued by that temporary CA. We strongly recommend that you replace the server
certificate with one generated by a trusted certificate authority, and that you install CA certificates for the
authorities that you trust.
Loading a server certificate and private key onto Expressway
The Expressway’s server certificate is used to identify the Expressway when it communicates with client
systems using TLS encryption, and with web browsers over HTTPS.
systems using TLS encryption, and with web browsers over HTTPS.
To upload a server certificate:
1. Go to
Maintenance > Security certificates > Server certificate
.
2. Use the Browse button to select and upload the server certificate PEM file.
3. If you used an external system to generate the certificate request you must also upload the server private
key PEM file that was used to encrypt the server certificate. (The private key file will have been
automatically generated and stored earlier if the Expressway was used to produce the signing request for
this server certificate.)
automatically generated and stored earlier if the Expressway was used to produce the signing request for
this server certificate.)
l
The server private key must not be password protected.
l
You cannot upload a server private key if a certificate signing request is in progress.
4. Click Upload server certificate data.
Cisco Expressway Certificate Creation and Use
Page 9 of 25
Loading certificates and keys onto Expressway