Cisco Cisco Expressway
l
Organization name
l
Organizational unit
l
Common name – this is typically the name of a contact person for this CA
l
Email address – optional, can leave blank
After entering the requested data, the operation completes and the certificate authority certificate cacert.pem
is now available.
is now available.
Creating a signed certificate using OpenSSL
This process signs the server certificate with the generated CA key, using the previously generated
certificate request.
certificate request.
From a command prompt:
1. Ensure that you are in the demoCA directory.
2. Ensure that the certificate request file (certcsr.pem) is available:
l
If the certificate request was created using the Expressway (recommended process):
Copy the file downloaded from the Expressway into the demoCA directory and rename it as
certcsr.pem.
Copy the file downloaded from the Expressway into the demoCA directory and rename it as
certcsr.pem.
l
If the certificate request was created using OpenSSL:
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM
format by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM
format by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
3. Generate a signed server certificate by running the following command:
openssl ca
-config openssl_local.cfg -cert cacert.pem -keyfile
private/cakey.pem -in certcsr.pem -out certs/server.pem -md sha1
If you receive a "failed to update database TXT_DB error number 2" error message, you can remove the
contents of the index.txt file and then rerun the command.
If you receive a "failed to update database TXT_DB error number 2" error message, you can remove the
contents of the index.txt file and then rerun the command.
4. You will be prompted to enter the password for the CA’s private key.
The signed certificate for the server is now available as demoCA/certs/server.pem.
Creating self-signed certificates using OpenSSL
We do not recommend creating self-signed certificates. They will not work in Unified Communications
deployments.
deployments.
Instead you should create a Certificate Authority using OpenSSL as described above.
Cisco Expressway Certificate Creation and Use
Page 17 of 25
Appendix 2: Certificate generation using OpenSSL only