Cisco Cisco TelePresence Video Communication Server Expressway
7. Uncomment the line “# req_extensions = v3_req” by removing the # at the start of it
8. Make sure that the line “extendedKeyUsage=serverAuth, clientAuth” is present within the
section [v3_req].
9. Find the line “subjectAltName = ${ENV::CSR_ALT_NAME}” and replace it such that it lists what you
want in the Subject Alternative Names in the certificate e.g. “subjectAltName =
DNS:peer1vcs.example.com,DNS:peer2vcs.example.com,DNS:ClusterFQDN.example.c
DNS:peer1vcs.example.com,DNS:peer2vcs.example.com,DNS:ClusterFQDN.example.c
om
”. Make sure you add all the additional relevant entries. For MRA this may comprise:
a. Expressway E: DNS:<CM domain name>, DNS:<XMPP federation domain>,
DNS:<federation chat alias 1>, DNS:<federation chat alias 2>
, etc.
b. Expressway C: DNS:<secure profile name 1>, DNS:<secure profile name 2>, etc.
10. Now save the file and exit.
11. Run the following OpenSSL command to generate a new CSR and Private key for the VCS “openssl
req -nodes -newkey rsa:4096 -keyout privatekey.pem -out myrequest.csr -
config csrreq.cnf
” changing the rsa:nnnn if required. (nnnn = keylength, recommended number is
4096
).
12. On the screen you will get output similar to what follows, some things can & should be left blank. When
this is complete, there will be two new files, myrequest.csr and privatekey.pem.The required fields that
should be completed are:
should be completed are:
l
Country
l
State and province
l
Locality name
l
Organization name
l
Common name - this is the VCS cluster FQDN if the certificate is for a cluster of VCSs or it is the
FQDN of the VCS if the certificate is for a single VCS
FQDN of the VCS if the certificate is for a single VCS
l
Email address - optional, can leave blank
l
A challenge password - optional, can leave blank
l
An optional company name - optional, can leave blank
Generating a 4096 bit RSA private key
............++
..................................................++
writing new private key to 'privatekey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Berkshire
Locality Name (eg, city) []:Reading
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:CIBU
Common Name (eg, YOUR name) []:rusc01-et-xm030.rusclabs.cisco.com
Email Address []:
Cisco TelePresence VCS Certificate Creation and Use Deployment Guide (X8.5)
Page 20 of 31
Appendix 2: Certificate generation using OpenSSL only