Cisco Cisco Expressway
Appendix 2: Certificate Generation Using OpenSSL Only
This section describes the process for generating a private key and certificate request for the Expressway using
OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other software. It is
appropriate when certificates are required for interfacing with neighboring devices for test purposes, and for providing
output to interact with Certificate Authorities.
OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other software. It is
appropriate when certificates are required for interfacing with neighboring devices for test purposes, and for providing
output to interact with Certificate Authorities.
The output for the certificate request generation process can be given to a Certificate Authority which may be internal
or external to the organization, and which can be used to produce the X.509 certificates required by the Expressway
to authenticate itself with neighboring devices.
or external to the organization, and which can be used to produce the X.509 certificates required by the Expressway
to authenticate itself with neighboring devices.
This section also briefly describes how OpenSSL could be used to manage a private Certificate Authority, but does
not intend to be comprehensive. Various components of these processes can be used when interfacing with third
party CAs.
not intend to be comprehensive. Various components of these processes can be used when interfacing with third
party CAs.
OpenSSL and Mac OS X or Linux
OpenSSL is already installed on Mac OS X, and is usually installed on Linux.
OpenSSL and Windows
If you do not have OpenSSL already installed, this is available as a free download from
Choose the relevant 32 bit or 64 bit OpenSSL - the ‘Light’ version is all that is needed.
If you receive a warning while installing OpenSSL that C++ files cannot be found, load the “Visual C++
Redistributables” also available on this site and then re-load the OpenSSL software.
Redistributables” also available on this site and then re-load the OpenSSL software.
Creating a Certificate Request Using OpenSSL
This process creates a private key and certificate request for the server that can then be validated by a CA. This could
be a CA that has been created and managed locally, or a third-party CA.
be a CA that has been created and managed locally, or a third-party CA.
Note:
■
This method to create a CSR should only be used if you have a good knowledge of working with OpenSSL as
there is a potential for entering incorrect commands (especially with numerous SAN entries). Missing relevant
SAN entries would require recreating the certificate at a later date.
there is a potential for entering incorrect commands (especially with numerous SAN entries). Missing relevant
SAN entries would require recreating the certificate at a later date.
■
From version X8.5.1 the user interface provides an option to set the Digest algorithm. The default is set to
SHA-256, with options to change to SHA-1, SHA-384, or SHA-512.
SHA-256, with options to change to SHA-1, SHA-384, or SHA-512.
To generate the CSR from the command line with OpenSSL use these instructions:
1.
SSH to the Expressway and log in as root.
2.
Make a new directory to do the work in -
mkdir
/tmp/certtemp
3.
Move in to this directory -
cd /tmp/certtemp
4.
Copy the Open SSL configuration file we use for CSR to this directory, as we need to edit it (Note: Keep the
dot at the end) -
dot at the end) -
cp /etc/openssl/csrreq.cnf .
5.
Open the file for editing –
vi csrreq.cnf
6.
Find the line “
default_md = sha1
” and edit it so that it reads “
default_md = sha256
”
7.
Uncomment the line “
# req_extensions = v3_req
” by removing the
#
at the start of it
8.
Make sure that the line “
extendedKeyUsage=serverAuth, clientAuth
” is present within the section [
v3_req
].
Cisco Systems, Inc.
20