Cisco Cisco Expressway
13.
(Optional) If you want to validate the DNS entries have been entered correctly into the request, the myrequest.csr
file can be decoded using the command:
file can be decoded using the command:
openssl req –text –noout –in myrequest.csr
14.
Submit the CSR to your chosen Certificate Authority, who will provide the public certificate.
15.
Upload the public certificate to the VCS via the Maintenance > Security certificates > Server certificate
webpage, “Select the server certificate file” entry box.
webpage, “Select the server certificate file” entry box.
16.
Upload the privatekey.pem to the VCS via the Maintenance > Security certificates > Server certificate webpage,
“Select the server private key file” entry box.
“Select the server private key file” entry box.
The privatekey.pem should be kept safe.
Operating as a Certificate Authority using OpenSSL
A major deployment is likely to make use of a third-party certificate authority, or already have one internal to an
organization’s IT department. However, you can use OpenSSL to manage certificates in a private certificate authority as
outlined below.
organization’s IT department. However, you can use OpenSSL to manage certificates in a private certificate authority as
outlined below.
.
Configuring OpenSSL to act as a CA
OpenSSL is powerful software, and when operating as a CA, requires a number of directories and databases to be
configured for tracking issued certificates.
configured for tracking issued certificates.
The list of directories and files can be found in the openssl configuration file under the section
[ CA_default ]
. By
default, the files/directories required to be created are:
■
A demoCA directory in the current directory, with 3 subdirectories certs, newcerts and private.
■
An empty file called index.txt in the demoCA directory.
■
A file called serial in the demoCA directory, storing a 2-digit number, such as “10”.
For example, use the commands:
mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial
Creating a Certificate Authority using OpenSSL
This process creates a private key and certificate of a Certificate Authority (CA), which can then be used to validate other
certificates. Note that this will not be trusted by devices outside of those on which it is explicitly installed.
certificates. Note that this will not be trusted by devices outside of those on which it is explicitly installed.
From a command prompt:
1.
Ensure that you are in the demoCA directory.
2.
For Windows: copy openssl.cfg from the directory where OpenSSL is installed to the demoCA directory and
rename it as openssl_local.cfg.
rename it as openssl_local.cfg.
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory and rename it as openssl_
local.cfg.
local.cfg.
19
Cisco Expressway Certificate Creation and Use Deployment Guide