Cisco Cisco Expressway
Introduction
This deployment guide provides instructions on how to create X.509 cryptographic certificates for use with
the Cisco Expressway (Expressway), and how to load them into Expressway.
the Cisco Expressway (Expressway), and how to load them into Expressway.
PKI introduction
Public Key Infrastructure (PKI) provides the mechanisms through which communications can be secured
(encrypted and integrity protected) and identities can be verified. Underlying PKI is:
(encrypted and integrity protected) and identities can be verified. Underlying PKI is:
n
A public/private key pair: a public key is used to encrypt data sent to a server, but only the private key
(kept secret by the server) can be used to decrypt it.
(kept secret by the server) can be used to decrypt it.
n
Signatures of data: data can be “signed” by a server, by using a combination of a cryptographic hash of
the data and the server’s private key. A client can verify the signature by using the server’s public key and
verifying the same hash. This ensures the data has been sent from the expected server, and has not been
tampered with.
the data and the server’s private key. A client can verify the signature by using the server’s public key and
verifying the same hash. This ensures the data has been sent from the expected server, and has not been
tampered with.
n
Certificates: a certificate is a wrapper around a public key, and provides information about the owner of the
key. This metadata is provided in X.509 format, and typically includes the server name and contact details
for the owner.
key. This metadata is provided in X.509 format, and typically includes the server name and contact details
for the owner.
n
A certificate chain: a certificate can be signed by a Certificate Authority (CA) using its own private key.
In turn, therefore, a certificate can be verified as being signed by a CA by checking the signature against
the CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that they
trust, and can thus verify the certificates of individual servers.
In turn, therefore, a certificate can be verified as being signed by a CA by checking the signature against
the CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that they
trust, and can thus verify the certificates of individual servers.
Transport Layer Security (TLS) is the standard mechanism for securing a TCP connection between hosts on
a TCP/IP network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish
a TLS connection:
a TCP/IP network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish
a TLS connection:
1. An initial TCP connection is made, and the client sends its capabilities (including cipher suites) and a
random number.
2. The sever responds with its choice of those capabilities, another random number, and its certificate.
3. The client verifies that the server certificate was issued (signed) by a CA that it trusts, and has not been
revoked.
4. The client sends a “pre-master secret”, encrypted with the server’s public key.
5. This pre-master secret, combined with the exchanged random numbers (to prevent replay attacks), is
used to generate a “master secret”, with which the remaining communications of this TLS session are
encrypted between the client and server.
encrypted between the client and server.
The following sections describe how these PKI components can be used with the Expressway.
Overview of certificate use on the Expressway
Expressway needs certificates for:
n
Secure HTTP with TLS (HTTPS) connectivity
n
TLS connectivity for SIP signaling, endpoints and neighbor zones
n
Connections to other systems such as Unified CM, Cisco TMS, LDAP servers and syslog servers
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.2)
Page 3 of 29
Introduction