Cisco Cisco Expressway Manuale Di Manutenzione
■
between two Expressway systems, either Expressway may be the client with the other Expressway being the
TLS server
TLS server
■
via HTTPS, the web browser is the client and the Expressway is the server
TLS can be difficult to configure. For example, when using it with an LDAP server we recommend that you confirm
the system is working correctly over TCP before attempting to secure the connection with TLS. We also recommend
using a third party LDAP browser to verify that your LDAP server is correctly configured for TLS.
the system is working correctly over TCP before attempting to secure the connection with TLS. We also recommend
using a third party LDAP browser to verify that your LDAP server is correctly configured for TLS.
Note:
Be careful not to allow your CA certificates or CRLs to expire. This may cause certificates signed by those CAs
to be rejected.
Certificate and CRL files can only be managed via the web interface. They cannot be installed using the CLI.
Managing the Trusted CA Certificate List
The Trusted CA certificate page (Maintenance > Security certificates > Trusted CA certificate) allows you to
manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When a TLS
connection to Expressway mandates certificate verification, the certificate presented to the Expressway must be
signed by a trusted CA in this list and there must be a full chain of trust (intermediate CAs) to the root CA.
manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When a TLS
connection to Expressway mandates certificate verification, the certificate presented to the Expressway must be
signed by a trusted CA in this list and there must be a full chain of trust (intermediate CAs) to the root CA.
■
To upload a new file containing one or more CA certificates, Browse to the required PEM file and click
Append CA certificate. This will append any new certificates to the existing list of CA certificates. If you are
replacing existing certificates for a particular issuer and subject, you have to manually delete the previous
certificates.
Append CA certificate. This will append any new certificates to the existing list of CA certificates. If you are
replacing existing certificates for a particular issuer and subject, you have to manually delete the previous
certificates.
■
To replace all of the currently uploaded CA certificates with the system's original list of trusted CA certificates,
click Reset to default CA certificate.
click Reset to default CA certificate.
■
To view the entire list of currently uploaded trusted CA certificates, click Show all (decoded) to view it in a
human-readable form, or click Show all (PEM file) to view the file in its raw format.
human-readable form, or click Show all (PEM file) to view the file in its raw format.
■
To view an individual trusted CA certificate, click on View (decoded) in the row for the specific CA certificate.
■
To delete one or more CA certificates, tick the box(es) next to the relevant CA certificate(s) and click Delete.
Note:
(for account authentication), you must add the PEM encoded CRL data to your trusted CA certificate file.
Managing the Expressway's Server Certificate
The Server certificate page (Maintenance > Security certificates > Server certificate) is used to manage the
Expressway's server certificate. This certificate is used to identify the Expressway when it communicates with client
systems using TLS encryption, and with web browsers over HTTPS. You can:
Expressway's server certificate. This certificate is used to identify the Expressway when it communicates with client
systems using TLS encryption, and with web browsers over HTTPS. You can:
■
view details about the currently loaded certificate
■
generate a certificate signing request
■
upload a new server certificate
Note:
We highly recommend using certificates based on RSA keys. Other types of certificate, such as those
based on DSA keys, are not tested and may not work with the Expressway in all scenarios.
Viewing the currently uploaded certificate
The Server certificate data section shows information about the server certificate currently loaded on the
Expressway.
Expressway.
■
To view the currently uploaded server certificate file, click Show (decoded) to view it in a human-readable
form, or click Show (PEM file) to view the file in its raw format.
form, or click Show (PEM file) to view the file in its raw format.
258
Cisco Expressway Administrator Guide
Maintenance