Cisco Cisco Expressway
3.
Use a text editor to edit the openssl_local.cfg file that was created by the above copy command. Make the
following modifications to the
following modifications to the
[CA_default]
section:
a.
Ensure that the line
copy_extensions = copy
does not have a # at the beginning of the line. Delete the # if it
is there. If the line remains commented out, it will strip attributes in the CSR and the SSL Server and SSL
Client attributes will not appear in the certificate.
Client attributes will not appear in the certificate.
b.
Change
policy = policy_match
to
policy = policy_anything
c.
Change
dir = ./demoCA
to
dir = .
d.
Optionally, change
default_days = 365
(1 year validity of the generated certificate) to
default_days = 3650
(10 years, or choose another suitable value).
e.
Save the file.
4.
Generate a private key for the CA by running the following command:
openssl genrsa -aes256 -out private/cakey.pem 4096
This will prompt for a password with which to encrypt the private key: choose a strong password and record it in a
safe place. The cakey.pem file will be used to create the CA certificate and to sign other certificates and must also
be kept secure.
safe place. The cakey.pem file will be used to create the CA certificate and to sign other certificates and must also
be kept secure.
5.
Generate the CA certificate by running the following command.
For Windows:
openssl req -new -x509 –days 3650 -key private/cakey.pem -config openssl_local.cfg -sha1
-extensions v3_ca -out cacert.pem
For OS X:
openssl req -new -x509 –days 3650 -key private/cakey.pem -config openssl_local.cfg -sha1 -
extensions v3_ca -out cacert.pem
6.
Enter a passphrase for the key, and then enter the data requested, including:
—
Country
—
State or province
—
Locality name
—
Organization name
—
Organizational unit
—
Common name – this is typically the name of a contact person for this CA
—
Email address – optional, can leave blank
After entering the requested data, the operation completes and the certificate authority certificate cacert.pem is now
available.
available.
Creating a signed certificate using OpenSSL
This process signs the server certificate with the generated CA key, using the previously generated certificate request.
From a command prompt:
1.
Ensure that you are in the demoCA directory.
2.
Ensure that the certificate request file (certcsr.pem) is available:
—
If the certificate request was created using the Expressway (recommended process):
Copy the file downloaded from the Expressway into the demoCA directory and rename it as certcsr.pem.
—
If the certificate request was created using OpenSSL:
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM format
by running the following command:
by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
20
Cisco Expressway Certificate Creation and Use Deployment Guide