Cisco Cisco Expressway
Introduction
This deployment guide provides instructions on how to create X.509 cryptographic certificates for use with the Cisco
Expressway (Expressway), and how to load them into Expressway.
Expressway (Expressway), and how to load them into Expressway.
PKI Introduction
Public Key Infrastructure (PKI) provides the mechanisms through which communications can be secured (encrypted
and integrity protected) and identities can be verified. Underlying PKI is:
and integrity protected) and identities can be verified. Underlying PKI is:
■
A public/private key pair: a public key is used to encrypt data sent to a server, but only the private key (kept
secret by the server) can be used to decrypt it.
secret by the server) can be used to decrypt it.
■
Signatures of data: data can be “signed” by a server, by using a combination of a cryptographic hash of the
data and the server’s private key. A client can verify the signature by using the server’s public key and verifying
the same hash. This ensures the data has been sent from the expected server, and has not been tampered
with.
data and the server’s private key. A client can verify the signature by using the server’s public key and verifying
the same hash. This ensures the data has been sent from the expected server, and has not been tampered
with.
■
Certificates: a certificate is a wrapper around a public key, and provides information about the owner of the
key. This metadata is provided in X.509 format, and typically includes the server name and contact details for
the owner.
key. This metadata is provided in X.509 format, and typically includes the server name and contact details for
the owner.
■
A certificate chain: a certificate can be signed by a Certificate Authority (CA) using its own private key. In
turn, therefore, a certificate can be verified as being signed by a CA by checking the signature against the
CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that they trust, and
can thus verify the certificates of individual servers.
turn, therefore, a certificate can be verified as being signed by a CA by checking the signature against the
CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that they trust, and
can thus verify the certificates of individual servers.
Transport Layer Security (TLS) is the standard mechanism for securing a TCP connection between hosts on a TCP/IP
network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish a TLS connection:
network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish a TLS connection:
1.
An initial TCP connection is made, and the client sends its capabilities (including cipher suites) and a random
number.
number.
2.
The sever responds with its choice of those capabilities, another random number, and its certificate.
3.
The client verifies that the server certificate was issued (signed) by a CA that it trusts, and has not been
revoked.
revoked.
4.
The client sends a “pre-master secret”, encrypted with the server’s public key.
5.
This pre-master secret, combined with the exchanged random numbers (to prevent replay attacks), is used to
generate a “master secret”, with which the remaining communications of this TLS session are encrypted
between the client and server.
generate a “master secret”, with which the remaining communications of this TLS session are encrypted
between the client and server.
The following sections describe how these PKI components can be used with the Expressway.
Overview of Certificate Use on the Expressway
Expressway needs certificates for:
■
Secure HTTP with TLS (HTTPS) connectivity
■
TLS connectivity for SIP signaling, endpoints and neighbor zones
■
Connections to other systems such as Unified CM, Cisco TMS, LDAP servers and syslog servers
It uses its list of trusted Certificate Authority (CA) certificates and associated certificate revocation lists (CRLs) to
validate other devices connecting to it.
validate other devices connecting to it.
It uses the Server Certificate and the Private key to provide a signed certificate to provide evidence that the
Expressway is the device it says it is. This can be used with neighboring devices such as Microsoft Lync or Unified
CM, as well as administrators using the web interface.
Expressway is the device it says it is. This can be used with neighboring devices such as Microsoft Lync or Unified
CM, as well as administrators using the web interface.
6
Cisco Expressway Certificate Creation and Use Deployment Guide
Introduction