Cisco Cisco Expressway
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory and rename it as
openssl_local.cfg.
openssl_local.cfg.
3. Use a text editor to edit the openssl_local.cfg file that was created by the above copy command. Make
the following modifications to the [CA_default] section:
a. Ensure that the line copy_extensions = copy does not have a # at the beginning of the line.
Delete the # if it is there. If the line remains commented out, it will strip attributes in the CSR and the
SSL Server and SSL Client attributes will not appear in the certificate.
SSL Server and SSL Client attributes will not appear in the certificate.
b. Change policy = policy_match to policy = policy_anything
c. Change dir = ./demoCA to dir = .
d. Optionally, change default_days = 365 (1 year validity of the generated certificate)
c. Change dir = ./demoCA to dir = .
d. Optionally, change default_days = 365 (1 year validity of the generated certificate)
to default_days = 3650 (10 years, or choose another suitable value).
e. Save the file.
4. Generate a private key for the CA by running the following command:
openssl genrsa -aes256 -out private/cakey.pem 4096
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The cakey.pem file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The cakey.pem file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
5. Generate the CA certificate by running the following command.
For Windows: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
For OS X: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
For OS X: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
6. Enter a passphrase for the key, and then enter the data requested, including:
l
Country
l
State or province
l
Locality name
l
Organization name
l
Organizational unit
l
Common name – this is typically the name of a contact person for this CA
l
Email address – optional, can leave blank
After entering the requested data, the operation completes and the certificate authority certificate cacert.pem
is now available.
is now available.
Creating a signed certificate using OpenSSL
This process signs the server certificate with the generated CA key, using the previously generated
certificate request.
certificate request.
From a command prompt:
1. Ensure that you are in the demoCA directory.
2. Ensure that the certificate request file (certcsr.pem) is available:
l
If the certificate request was created using the Expressway (recommended process):
Copy the file downloaded from the Expressway into the demoCA directory and rename it as
certcsr.pem.
Copy the file downloaded from the Expressway into the demoCA directory and rename it as
certcsr.pem.
l
If the certificate request was created using OpenSSL:
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM
format by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM
format by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.5)
Page 22 of 31
Appendix 2: Certificate generation using OpenSSL only