Cisco Cisco Expressway Maintenance Manual
About security certificates
For extra security, you may want to have the Expressway communicate with other systems (such as LDAP
servers, neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.
servers, neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.
For this to work successfully in a connection between a client and server:
n
The server must have a certificate installed that verifies its identity. This certificate must be signed by a
Certificate Authority (CA).
Certificate Authority (CA).
n
The client must trust the CA that signed the certificate used by the server.
The Expressway allows you to install appropriate files so that it can act as either a client or a server in
connections using TLS. The Expressway can also authenticate client connections (typically from a web
browser) over HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify
LDAP server and HTTPS client certificates.
connections using TLS. The Expressway can also authenticate client connections (typically from a web
browser) over HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify
LDAP server and HTTPS client certificates.
The Expressway can generate server certificate signing requests (CSRs). This removes the need to use an
external mechanism to generate and obtain certificate requests.
external mechanism to generate and obtain certificate requests.
For secure communications (HTTPS and SIP/TLS) we recommend that you replace the Expressway default
certificate with a certificate generated by a trusted certificate authority.
certificate with a certificate generated by a trusted certificate authority.
Note that in connections:
n
to an endpoint, the Expressway acts as the TLS server
n
to an LDAP server , the Expressway is a client
n
between two Expressway systems, either Expressway may be the client with the other Expressway being
the TLS server
the TLS server
n
via HTTPS, the web browser is the client and the Expressway is the server
TLS can be difficult to configure. For example, when using it with an LDAP server we recommend that you
confirm that your system is working correctly before you attempt to secure the connection with TLS. You are
also recommended to use a third party LDAP browser to verify that your LDAP server is correctly configured
to use TLS.
confirm that your system is working correctly before you attempt to secure the connection with TLS. You are
also recommended to use a third party LDAP browser to verify that your LDAP server is correctly configured
to use TLS.
Note: be careful not to allow your CA certificates or CRLs to expire as this may cause certificates signed by
those CAs to be rejected.
those CAs to be rejected.
Certificate and CRL files can only be managed via the web interface. They cannot be installed using the CLI.
Managing the trusted CA certificate list
The
Trusted CA certificate
page (
Maintenance > Security certificates > Trusted CA certificate
) allows
you to manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When
a TLS connection to Expressway mandates certificate verification, the certificate presented to the
Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate
CAs) to the root CA.
a TLS connection to Expressway mandates certificate verification, the certificate presented to the
Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate
CAs) to the root CA.
Cisco Expressway Administrator Guide (X8.5.1)
Page 220 of 399
Maintenance
About security certificates