Cisco Cisco TelePresence Video Communication Server Expressway

Figure 2: Entering subject alternative names for Unified CM registration domains, XMPP federation domains,
and chat node aliases, on the VCS Expressway's CSR generator

Authorizing a request and generating a certificate using Microsoft
Certification Authority

This section describes how to authorize a certificate request and generate a PEM certificate file using Microsoft
Certification Authority.

Note:

The Microsoft Certification Authority must be able to generate a certificate that can be used for mutual

authentication of the VCS as client or server.

Windows Server 2008 Standard R2 has certificate templates for this purpose, but earlier versions of Windows Server
Standard Edition are not suitable.

Copy the certificate request file (for example, certcsr.der if generated via OpenSSL) to a location, such as the
desktop, on the server where the Microsoft Certification Authority application is installed.

Submit the certificate request from a command prompt:

—

To generate a certificate with Server Authentication and Client Authentication, which is required if you want to
configure a neighbor or traversal zone with mutual authentication (TLS verify mode), type:

certreq -submit -attrib “CertificateTemplate:Webclientandserver”
C:\Users\<user>\Desktop\certcsr.der

See

Appendix 5: Configuring Windows Server Manager with a "client and server" certificate template, page 29

for details about how to set up the

Webclientandserver

certificate template.

—

To generate a certificate with Server Authentication only, type:

certreq -submit -attrib “CertificateTemplate:WebServer” C:\Users\<user>\Desktop\certcsr.der

This triggers the Certification Authority window to open:

Note that the command must be run as the administrator user.

Cisco VCS Certificate Creation and Use Deployment Guide