Cisco Cisco ISA550W Integrated Security Appliance Installation Guide
© 2012 Cisco Systems, Inc. All rights reserved.
Page 3 of 15
Generating a Certification Authority and Root Certificate
To create your own SSL certificates, you need a Certification Authority (CA). A CA is required to sign a
digital certificate.
digital certificate.
You can purchase a certificate generated by a trusted CA or you can generate your own by using a
third- party tool such as OpenSSL. OpenSSL is a cryptography toolkit that implements the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related
cryptography.
third- party tool such as OpenSSL. OpenSSL is a cryptography toolkit that implements the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related
cryptography.
When creating a certificate, the CA produces a root certificate and private key. The root certificate along
with its private key can be used to sign other certificates or with a Certificate Signing Request (CSR). All
root CA certificates are self-signed.
with its private key can be used to sign other certificates or with a Certificate Signing Request (CSR). All
root CA certificates are self-signed.
The following example shows how to use Ubuntu Linux OS and the OpenSSL tool to generate an SSL
certificate.
certificate.
N
OTE
Before generating an OpenSSL CA you may want to edit your openssl.cnf file to save time. This
file is used each time that you use OpenSSL and stores the default information that you are prompted with
during the certificate process.
during the certificate process.
Step 1.
From Ubuntu, install the OpenSSL package.
root@ubuntu> apt-get install openssl
The OpenSSL package includes a perl script called “CA.pl.” This script supplies the relevant
command line arguments to the openssl command for common certificate operations.
command line arguments to the openssl command for common certificate operations.
Step 2.
Locate and add this file under the /usr/lib/ssl or /usr/lib/ssl/misc directory. Modify the script as
shown in the example. This modification sets the OpenSSL environment variable from /etc/
openssl.cnf and directs all output to the /var/ssl directory.
shown in the example. This modification sets the OpenSSL environment variable from /etc/
openssl.cnf and directs all output to the /var/ssl directory.
$SSLEAY_CONFIG="-config /etc/openssl.cnf";
…
#$CATOP="./demoCA";
$CATOP="/var/ssl";
Step 3.
Add the CA.pl file to the /var/ssl directory.
root@ubuntu:/usr/lib/ssl> cp CA.pl /var/ssl/CA.pl
Step 4.
Add the openssl.cnf file to the openssl.cnf directory.
root@ubuntu:/usr/lib/ssl> cp openssl.cnf /etc/openssl.cnf
Step 5.
(Optional) Edit the openssl.cnf file and modify the default values to your own preferences. We
recommend that you copy or back up the CA.pl file and the openssl.cnf file before editing this
file.
recommend that you copy or back up the CA.pl file and the openssl.cnf file before editing this
file.
Dir = /var/ssl # Where everything is kept
….
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min= 2
countryName_max= 2
stateOrProvinceName= State or Province Name (full name)
stateOrProvinceName_default = TX
localityName= Locality Name (eg, city)
localityName_default= RCDN
organizationName= Organization Name (eg, company)
organizationName_default = Cisco SBTG
You are now ready to create the CA.