Cisco Cisco Expressway
Expressway itself and of the cluster. If a certificate is shared across cluster peers, it must list all possible peer FQDNs.
The following lists show what must be included in the X.509 subject, depending on the deployment model chosen.
The following lists show what must be included in the X.509 subject, depending on the deployment model chosen.
If the Expressway is not clustered:
■
Subject Common Name = FQDN of Expressway
■
Subject Alternate Names = leave blank
If the Expressway is clustered, with individual certificates per Expressway:
■
Subject Common Name = FQDN of Expressway
■
Subject Alternate Names = FQDN of Expressway, FQDN of cluster
Wildcard certificates manage multiple subdomains and the services names they support, they can be less secure than
SAN (Subject Alternate Name) certificates. Expressway does not support wildcard certificates.
SAN (Subject Alternate Name) certificates. Expressway does not support wildcard certificates.
Certificate generation overview
X.509 certificates may be supplied from a third party, or may be generated by a certificate generator such as OpenSSL or
a tool available in applications such as Microsoft Certification Authority. Third-party certificates supplied by recognized
certificate authorities are recommended, although Expressway deployments in controlled or test environments can use
internally generated certificates.
a tool available in applications such as Microsoft Certification Authority. Third-party certificates supplied by recognized
certificate authorities are recommended, although Expressway deployments in controlled or test environments can use
internally generated certificates.
Certificate generation is usually a 3-stage process:
■
Stage 1: generate a private key
■
Stage 2: create a certificate request
■
Stage 3: authorize and create the certificate
This document presents alternative methods of generating the root certificate, client/server certificate for the Expressway,
and private key:
and private key:
■
the private key and certificate request.
■
documents the OpenSSL-only process, which
could be used with a third party or internally managed CA.
For mutual TLS authentication the Expressway Server certificate must be capable of being used as a Client certificate as
well, thus allowing the Expressway to authenticate as a client device to a neighboring server (see
well, thus allowing the Expressway to authenticate as a client device to a neighboring server (see
).
Note: It is worth noting that changes are being introduced to the way that dates are handled from 2050, and certificates
that have expiry dates beyond that can cause operational issues.
that have expiry dates beyond that can cause operational issues.
Generating a certificate signing request (CSR)
A CSR contains the identity information about the owner of a private key. It can be passed to a third-party or internal
certification authority for generating a signed certificate, or it can be used in conjunction with an application such as
Microsoft Certification Authority or OpenSSL.
certification authority for generating a signed certificate, or it can be used in conjunction with an application such as
Microsoft Certification Authority or OpenSSL.
Creating a CSR using Expressway
The Expressway can generate server certificate signing requests. This removes the need to use an external mechanism
to generate and obtain certificate requests.
to generate and obtain certificate requests.
To generate a CSR:
1.
Go to Maintenance > Security certificates > Server certificate.
2.
Click Generate CSR to go to the Generate CSR page.
4
Cisco Expressway Certificate Creation and Use Deployment Guide