Cisco Headend Digital Broadband Delivery System
Introduction to DNCS HTTPS Certificates
4034689 Rev A
71
Introduction to DNCS HTTPS Certificates
This section describes the files required and options available to implement TLS/SSL
on the DNCS.
on the DNCS.
Certificate File Overview
Implementation of the SSL/TLS protocol to secure the connection between a DNCS
and an external client, such as billing systems and STB staging clients, requires
certificates.
and an external client, such as billing systems and STB staging clients, requires
certificates.
The following is a high-level overview of the certificate files required on an HTTP-S
server and client, and how they are created:
server and client, and how they are created:
Private Key — A private key file must be created for the HTTP-S server. This file
must be well guarded and should never leave the HTTP-S server. It is preferable
to generate the private key file on the HTTP-S server itself. The private key file is
typically identified by the .key extension.
must be well guarded and should never leave the HTTP-S server. It is preferable
to generate the private key file on the HTTP-S server itself. The private key file is
typically identified by the .key extension.
Certificate Signing Request (CSR) — A CSR file must be created for the HTTP-S
server for the certification authority (CA) to sign. This file includes the HTTP-S
server identity information and a public key. The CSR is digitally signed
(encrypted hash) with the private key. The CSR file is sent to the CA to sign. The
CSR file is typically identified by the .csr extension.
server for the certification authority (CA) to sign. This file includes the HTTP-S
server identity information and a public key. The CSR is digitally signed
(encrypted hash) with the private key. The CSR file is sent to the CA to sign. The
CSR file is typically identified by the .csr extension.
HTTP-S Server Certificate — The CA receives the CSR file and, if necessary,
verifies that the originator of the CSR is genuine; that is, the sender of the CSR is
who they say they are. The CA will then digitally sign the CSR with the private
key of the CA. This creates the certificate file for the HTTP-S server. The
certificate file is typically identified by the .crt extension.
verifies that the originator of the CSR is genuine; that is, the sender of the CSR is
who they say they are. The CA will then digitally sign the CSR with the private
key of the CA. This creates the certificate file for the HTTP-S server. The
certificate file is typically identified by the .crt extension.
HTTP-S Client Certificate — If Client Authentication is required by the HTTP-S
server, then a client certificate must be created. The same steps outlined in the
previous three items can be used to create the client certificate. Note that you can
use the one certificate for both the server certificate and client certificate.
server, then a client certificate must be created. The same steps outlined in the
previous three items can be used to create the client certificate. Note that you can
use the one certificate for both the server certificate and client certificate.
Certification Authority Certificates — The certification authority, also known as
the Certificate Authority (CA), will have one or more self-signed certificates, the
root certificates, and possibly intermediate certificates, which are CA certificates
signed using a root certificate or another intermediate certificate. These
certificates contain information about the CA, including the CA's common name,
the CA's public key, and are digitally signed with the appropriate CA private
key. The CA can be you, someone in your company, or can be a commercial CA
such as VeriSign.
the Certificate Authority (CA), will have one or more self-signed certificates, the
root certificates, and possibly intermediate certificates, which are CA certificates
signed using a root certificate or another intermediate certificate. These
certificates contain information about the CA, including the CA's common name,
the CA's public key, and are digitally signed with the appropriate CA private
key. The CA can be you, someone in your company, or can be a commercial CA
such as VeriSign.