Cisco Cisco Expressway
Appendix 2: Certificate generation using
OpenSSL only
OpenSSL only
This section describes the process for generating a private key and certificate request for the Expressway
using OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices for test
purposes, and for providing output to interact with Certificate Authorities.
using OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices for test
purposes, and for providing output to interact with Certificate Authorities.
The output for the certificate request generation process can be given to a Certificate Authority which may be
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the Expressway to authenticate itself with neighboring devices.
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the Expressway to authenticate itself with neighboring devices.
This section also briefly describes how OpenSSL could be used to manage a private Certificate Authority,
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
OpenSSL and Mac OS X or Linux
OpenSSL is already installed on Mac OS X, and is usually installed on Linux.
OpenSSL and Windows
If you do not have OpenSSL already installed, this is available as a free download from
Choose the relevant 32 bit or 64 bit OpenSSL - the ‘Light’ version is all that is needed.
If you receive a warning while installing OpenSSL that C++ files cannot be found, load the “Visual C++
Redistributables” also available on this site and then re-load the OpenSSL software.
Redistributables” also available on this site and then re-load the OpenSSL software.
Creating a certificate request using OpenSSL
This process creates a private key and certificate request for the server that can then be validated by a CA.
This could be a CA that has been created and managed locally, or a third-party CA.
This could be a CA that has been created and managed locally, or a third-party CA.
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory).
For Mac OS X: stay in the root of the user’s directory.
2. Personalize the openssl.cfg file:
a. For Windows: copy openssl.cfg to openssl_request.cfg
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the root of the user’s directory as
openssl_request.cfg
openssl_request.cfg
b. Use a text editor to edit the openssl_request.cfg file that was created by the above copy command,
and ensure that the line “req_extensions = v3_req # The extensions to add to a
certificate request”
certificate request”
does not have a # at the beginning of the line. Delete the # if it is there.
c. Scroll down to the “[ v3_req ]” section and below this section title add:
extendedKeyUsage=serverAuth, clientAuth
d. Save the file.
Cisco Expressway Certificate Creation and Use
Page 14 of 25
Appendix 2: Certificate generation using OpenSSL only