Cisco Cisco Expressway

Authorizing a request and generating a certificate
using Microsoft Certification Authority

This section describes how to authorize a certificate request and generate a PEM certificate file using
Microsoft Certification Authority.

1. Copy the certificate request file (for example, certcsr.der if generated via OpenSSL) to a location, such as

the desktop, on the server where the Microsoft Certification Authority application is installed.

2. Submit the certificate request from a command prompt:

To generate a certificate with Server Authentication and Client Authentication, which is required if you
want to configure a neighbor or traversal zone with mutual authentication (TLS verify mode), type:
certreq -submit -attrib “CertificateTemplate:Webclientandserver”

C:\Users\<user>\Desktop\certcsr.der
See

Configuring Windows Server Manager with a "client and server" certificate template [p.21]

for

details about how to set up the Webclientandserver certificate template.

To generate a certificate with Server Authentication only, type:
certreq -submit -attrib “CertificateTemplate:WebServer”

C:\Users\<user>\Desktop\certcsr.der

This triggers the Certification Authority window to open:

Note that the command must be run as the administrator user.

3. Select the Certification Authority to use (typically only one is offered) and click OK.

4. When requested, save the certificate (browse to the required folder if the default Libraries > Documents

folder is not to be used) calling it server.cer for example.

5. Rename server.cer to server.pem for use with the Expressway.

Get the Microsoft CA certificate

1. In your web browser, go to <IP or URL of the Microsoft Certificate Server>/certsrv and log in.

2. Select

Download a CA certificate, certificate chain or CRL

Cisco Expressway Certificate Creation and Use

Page 7 of 25

Authorizing a request and generating a certificate using Microsoft Certification Authority