Cisco Cisco Expressway
3. If the certificate is for a cluster of Expressways:
a. Under the same “[ v3_req ]” section add:
subjectAltName="DNS:<FQDN of Expressway cluster>,DNS:<FQDN of peer
1>,DNS:<FQDN of peer 2>,DNS:<FQDN of peer n>"
as the bottom line of this section (before “[ v3_ca ]”), filling in the details for the Expressway
deployment as appropriate (cluster FQDN and FQDNs of all peers).
as the bottom line of this section (before “[ v3_ca ]”), filling in the details for the Expressway
deployment as appropriate (cluster FQDN and FQDNs of all peers).
b. Save the file.
4. Generate a private key by running the following command:
openssl genrsa -out privatekey.pem 2048
The privatekey.pem file will be used to create the certificate request and will also be required for loading
into the Expressway. The file is created in the directory that the openssl command is run from.
The privatekey.pem file will be used to create the certificate request and will also be required for loading
into the Expressway. The file is created in the directory that the openssl command is run from.
5. Generate a certificate request (suitable for use with Microsoft Certification Authority) by running the
following command:
openssl req -new -key privatekey.pem -config openssl_request.cfg -out
openssl req -new -key privatekey.pem -config openssl_request.cfg -out
certcsr.der -outform DER -sha1
6. Enter the data requested, including:
l
Country
l
State or province
l
Locality name
l
Organization name
l
Organizational unit
l
Common name - this is the Expressway cluster FQDN if the certificate is for a cluster of Expressways
or it is the FQDN of the Expressway if the certificate is for a single Expressway
or it is the FQDN of the Expressway if the certificate is for a single Expressway
l
Email address - optional, can leave blank
l
A challenge password - optional, can leave blank
l
An optional company name - optional, can leave blank
After entering the requested data, the certificate request file certcsr.der is now available.
To validate that DNS entries have been entered correctly into the request, the certcsr.der file can be
decoded using the command:
decoded using the command:
openssl req -text -noout -in certcsr.der -inform DER
This certificate request file can be passed to an internal or third-party Certificate Authority for generating the
X.509 certificate. OpenSSL can be used to operate a private CA, as described below.
X.509 certificate. OpenSSL can be used to operate a private CA, as described below.
Operating as a Certificate Authority using OpenSSL
A major deployment is likely to make use of a third-party certificate authority, or already have one internal to
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
Configuring OpenSSL to act as a CA
OpenSSL is powerful software, and when operating as a CA, requires a number of directories and databases
to be configured for tracking issued certificates.
to be configured for tracking issued certificates.
The list of directories and files can be found in the openssl configuration file under the section [ CA_
default ]
default ]
. By default, the files/directories required to be created are:
Cisco Expressway Certificate Creation and Use
Page 15 of 25
Appendix 2: Certificate generation using OpenSSL only