Cisco Cisco Expressway
13. (Optional) If you want to validate the DNS entries have been entered correctly into the request, the
myrequest.csr file can be decoded using the command: openssl req –text –noout –in
myrequest.csr
myrequest.csr
14. Submit the CSR to your chosen Certificate Authority, who will provide the public certificate.
15. Upload the public certificate to the VCS via the Maintenance > Security certificates > Server
certificate webpage, “Select the server certificate file” entry box.
16. Upload the privatekey.pem to the VCS via the Maintenance > Security certificates > Server
certificate webpage, “Select the server private key file” entry box.
The privatekey.pem should be kept safe.
Operating as a Certificate Authority using OpenSSL
A major deployment is likely to make use of a third-party certificate authority, or already have one internal to
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
Configuring OpenSSL to act as a CA
OpenSSL is powerful software, and when operating as a CA, requires a number of directories and databases
to be configured for tracking issued certificates.
to be configured for tracking issued certificates.
The list of directories and files can be found in the openssl configuration file under the section [ CA_
default ]
default ]
. By default, the files/directories required to be created are:
n
A demoCA directory in the current directory, with 3 subdirectories certs, newcerts and private.
n
An empty file called index.txt in the demoCA directory.
n
A file called serial in the demoCA directory, storing a 2-digit number, such as “10”.
For example, use the commands:
mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial
Creating a Certificate Authority using OpenSSL
This process creates a private key and certificate of a Certificate Authority (CA), which can then be used to
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
From a command prompt:
1. Ensure that you are in the demoCA directory.
2. For Windows: copy openssl.cfg from the directory where OpenSSL is installed to the demoCA directory
and rename it as openssl_local.cfg.
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.5.1)
Page 21 of 32
Appendix 2: Certificate generation using OpenSSL only