Cisco Cisco Expressway
Generating a certificate signing request (CSR)
A CSR contains the identity information about the owner of a private key. It can be passed to a third-party or
internal certification authority for generating a signed certificate, or it can be used in conjunction with an
application such as Microsoft Certification Authority or OpenSSL.
internal certification authority for generating a signed certificate, or it can be used in conjunction with an
application such as Microsoft Certification Authority or OpenSSL.
Creating a CSR using Expressway
The Expressway can generate server certificate signing requests. This removes the need to use an external
mechanism to generate and obtain certificate requests.
mechanism to generate and obtain certificate requests.
To generate a CSR:
1. Go to
Maintenance > Security certificates > Server certificate
.
2. Click Generate CSR to go to the
Generate CSR
page.
3. Enter the required properties for the certificate.
l
if your Expressway is part of a cluster.
l
Unified Communications solution.
l
The certificate request includes automatically the public key that will be used in the certificate, and the
client and server authentication Enhanced Key Usage (EKU) extension.
client and server authentication Enhanced Key Usage (EKU) extension.
4. Click Generate CSR. The system will produce a signing request and an associated private key.
The private key is stored securely on the Expressway and cannot be viewed or downloaded. You must
never disclose your private key, not even to the certificate authority.
never disclose your private key, not even to the certificate authority.
5. You are returned to the
Server certificate
page. From here you can:
l
Download the request to your local file system so that it can be sent to a certificate authority. You are
prompted to save the file (the exact wording depends on your browser).
prompted to save the file (the exact wording depends on your browser).
l
View the current request (click Show (decoded) to view it in a human-readable form, or click Show
(PEM file) to view the file in its raw format).
(PEM file) to view the file in its raw format).
Note:
n
Only one signing request can be in progress at any one time. This is because the Expressway has to keep
track of the private key file associated with the current request. To discard the current request and start a
new request, click Discard CSR.
track of the private key file associated with the current request. To discard the current request and start a
new request, click Discard CSR.
n
From version X8.5.1 the user interface provides an option to set the Digest algorithm. The default is set to
SHA-256, with options to change to SHA-1, SHA-384, or SHA-512.
SHA-256, with options to change to SHA-1, SHA-384, or SHA-512.
n
The certificate signing request storage location changed in X8.
When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into
/tandberg/persistent/certs.
When you generate a CSR in X8, the application puts csr.pem and privkey.pem into
/tandberg/persistent/certs/generated_csr.
If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend discarding the
CSR before upgrade, and then regenerating the CSR after upgrade.
When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into
/tandberg/persistent/certs.
When you generate a CSR in X8, the application puts csr.pem and privkey.pem into
/tandberg/persistent/certs/generated_csr.
If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend discarding the
CSR before upgrade, and then regenerating the CSR after upgrade.
You must now authorize the request and generate a signed PEM certificate file. You can pass it to a third-
party or internal certification authority, or use it in conjunction with an application such as Microsoft
Certification Authority (see
party or internal certification authority, or use it in conjunction with an application such as Microsoft
Certification Authority (see
).
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.5.2)
Page 5 of 32
Generating a certificate signing request (CSR)