Cisco Cisco Expressway Maintenance Manual
Managing the Expressway's Server Certificate
The Server certificate page (Maintenance > Security certificates > Server certificate) is used to manage the
Expressway's server certificate. This certificate is used to identify the Expressway when it communicates with client
systems using TLS encryption, and with web browsers over HTTPS. You can:
Expressway's server certificate. This certificate is used to identify the Expressway when it communicates with client
systems using TLS encryption, and with web browsers over HTTPS. You can:
■
view details about the currently loaded certificate
■
generate a certificate signing request
■
upload a new server certificate
Note:
We highly recommend using certificates based on RSA keys. Other types of certificate, such as those
based on DSA keys, are not tested and may not work with the Expressway in all scenarios.
Viewing the currently uploaded certificate
The Server certificate data section shows information about the server certificate currently loaded on the
Expressway.
Expressway.
■
To view the currently uploaded server certificate file, click Show (decoded) to view it in a human-readable
form, or click Show (PEM file) to view the file in its raw format.
Note that if a certificate contains SRV-ID or XMPP-ID formatted entries, when that certificate is viewed those
entries will show as '<unsupported>'. That does not mean the certificate is invalid, but that the openssl code
does not know how to display those identifiers.
form, or click Show (PEM file) to view the file in its raw format.
Note that if a certificate contains SRV-ID or XMPP-ID formatted entries, when that certificate is viewed those
entries will show as '<unsupported>'. That does not mean the certificate is invalid, but that the openssl code
does not know how to display those identifiers.
■
To replace the currently uploaded server certificate with the Expressway's original certificate, click Reset to
default server certificate.
default server certificate.
Note:
Do not allow your server certificate to expire as this may cause other external systems to reject your certificate
and prevent the Expressway from being able to connect to those systems.
Generating a certificate signing request (CSR)
The Expressway can generate server certificate signing requests. This removes the need to use an external
mechanism to generate and obtain certificate requests.
mechanism to generate and obtain certificate requests.
To generate a CSR:
1.
Go to Maintenance > Security certificates > Server certificate.
2.
Click Generate CSR to go to the Generate CSR page.
3.
Enter the required properties for the certificate.
—
if your Expressway is part of a cluster.
—
if this Expressway is part of a
Unified Communications solution.
—
The certificate request includes automatically the public key that will be used in the certificate, and the
client and server authentication Enhanced Key Usage (EKU) extension.
client and server authentication Enhanced Key Usage (EKU) extension.
4.
Click Generate CSR. The system will produce a signing request and an associated private key.
The private key is stored securely on the Expressway and cannot be viewed or downloaded. You must never
disclose your private key, not even to the certificate authority.
disclose your private key, not even to the certificate authority.
5.
You are returned to the Server certificate page. From here you can:
—
Download the request to your local file system so that it can be sent to a certificate authority. You are
prompted to save the file (the exact wording depends on your browser).
prompted to save the file (the exact wording depends on your browser).
—
View the current request (click Show (decoded) to view it in a human-readable form, or click Show (PEM
file) to view the file in its raw format).
file) to view the file in its raw format).
201
Cisco Expressway Administrator Guide
Maintenance