Cisco Cisco Expressway
Appendix 2: Certificate generation using
OpenSSL only
OpenSSL only
This section describes the process for generating a private key and certificate request for the Expressway
using OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices for test
purposes, and for providing output to interact with Certificate Authorities.
using OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices for test
purposes, and for providing output to interact with Certificate Authorities.
Note: The Expressway can accept and use certificates generated with SHA-256 hashing, but the CSR
(certificate signing request) generator on the user interface does not provide the option to select SHA-256.
(certificate signing request) generator on the user interface does not provide the option to select SHA-256.
The output for the certificate request generation process can be given to a Certificate Authority which may be
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the Expressway to authenticate itself with neighboring devices.
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the Expressway to authenticate itself with neighboring devices.
This section also briefly describes how OpenSSL could be used to manage a private Certificate Authority,
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
OpenSSL and Mac OS X or Linux
OpenSSL is already installed on Mac OS X, and is usually installed on Linux.
OpenSSL and Windows
If you do not have OpenSSL already installed, this is available as a free download from
Choose the relevant 32 bit or 64 bit OpenSSL - the ‘Light’ version is all that is needed.
If you receive a warning while installing OpenSSL that C++ files cannot be found, load the “Visual C++
Redistributables” also available on this site and then re-load the OpenSSL software.
Redistributables” also available on this site and then re-load the OpenSSL software.
Creating a certificate request using OpenSSL
This process creates a private key and certificate request for the server that can then be validated by a CA.
This could be a CA that has been created and managed locally, or a third-party CA.
This could be a CA that has been created and managed locally, or a third-party CA.
Note: This method to create a CSR should only be used if you have a good knowledge of working with
OpenSSL as there is a potential for entering incorrect commands (especially with numerous SAN entries).
Missing relevant SAN entries would require recreating the certificate at a later date.
OpenSSL as there is a potential for entering incorrect commands (especially with numerous SAN entries).
Missing relevant SAN entries would require recreating the certificate at a later date.
To generate the CSR from the command line with OpenSSL use these instructions:
1. SSH to the Expressway and log in as root.
2. Make a new directory to do the work in - mkdir
/tmp/certtemp
3. Move in to this directory - cd /tmp/certtemp
4. Copy the Open SSL configuration file we use for CSR to this directory, as we need to edit it (Note: Keep
the dot at the end) - cp /etc/openssl/csrreq.cnf .
5. Open the file for editing – vi csrreq.cnf
6. Find the line “default_md = sha1” and edit it so that it reads “default_md = sha256”
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.5)
Page 19 of 31
Appendix 2: Certificate generation using OpenSSL only