Cisco Cisco AMP Threat Grid 5004 Appliance Installation Guide
Connecting with a Threat Grid Appliance
SSL CERTIFICATES AND THREAT GRID APPLIANCES
SSL CERTIFICATES AND THREAT GRID APPLIANCES
4
NOTE:
OpenSSL is not a Cisco product, and Cisco provides no technical support for it. Search the Web for
additional information on using OpenSSL. Cisco offers an SSL library, Cisco SSL, for generating SSL
certificates.
certificates.
openssl req -x509 -days 3650 -newkey rsa:4096 -keyout
tgapp.key -nodes -out tgapp.cert -subj "/C=US/ST=New
York/L=Brooklyn/O=Acme Co/CN=tgapp.acmeco.com"
tgapp.key -nodes -out tgapp.cert -subj "/C=US/ST=New
York/L=Brooklyn/O=Acme Co/CN=tgapp.acmeco.com"
•
openssl: OpenSSL.
•
req: Specifies that we want to use X.509 certificate signing request (CSR) management.
"X.509" is a public key infrastructure standard that SSL and TLS use for key and certificate
management. We want to create a new X.509 cert, so we are using this subcommand.
"X.509" is a public key infrastructure standard that SSL and TLS use for key and certificate
management. We want to create a new X.509 cert, so we are using this subcommand.
•
-x509: This modifies the previous subcommand by telling the utility that we want to make a self-signed
certificate instead of generating a certificate signing request, as would normally happen.
certificate instead of generating a certificate signing request, as would normally happen.
•
-days 3650: This option sets the length of time for which the certificate will be considered valid. Here we
set it for 10 years.
set it for 10 years.
•
-newkey rsa:4096: This specifies that we want to generate a new certificate and a new key at the same
time. We did not create the key that is required to sign the certificate in a previous step, so we need to
create it along with the certificate. The rsa:4096 portion tells it to make an RSA key that is 4096 bits
long.
time. We did not create the key that is required to sign the certificate in a previous step, so we need to
create it along with the certificate. The rsa:4096 portion tells it to make an RSA key that is 4096 bits
long.
•
-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
•
-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. The
appliance needs to be able to read the file without user intervention, when the server starts up. A
passphrase would prevent this from happening because we would have to enter it after every restart.
appliance needs to be able to read the file without user intervention, when the server starts up. A
passphrase would prevent this from happening because we would have to enter it after every restart.
•
-out: This tells OpenSSL where to place the certificate that we are creating.
•
-subj: Example:
C=US: Country.
ST=New York: State.
L=Brooklyn: Location.
O=Acme Co: Owner's name.
CN=tgapp.acmeco.com: Please enter the Threat Grid Appliance FQDN ("Fully Qualified Domain
Name"). This includes the HOSTNAME of the Threat Grid Appliance ("tgapp" in our example), together
with the associated domain name ("acmeco.com") appended to the end.
Name"). This includes the HOSTNAME of the Threat Grid Appliance ("tgapp" in our example), together
with the associated domain name ("acmeco.com") appended to the end.
IMPORTANT: You will need to change at the very least the Common Name to match the FQDN of the
Threat Grid Appliance Clean interface.
Threat Grid Appliance Clean interface.
Once the new SSL certificate is generated, use the SSL page Upload button to upload it to the Threat Grid
Appliance, and also upload it to the ESA/WSA appliance (.cert only).
Appliance, and also upload it to the ESA/WSA appliance (.cert only).