Cisco Cisco TelePresence Video Communication Server Expressway
Certificate generation process using OpenSSL
Cisco VCS Deployment Guide: Certificate creation and use with Cisco VCS
Page 11 of 33
Certificate generation process using OpenSSL
This section describes first the process for generating a private key and certificate request for the
Cisco VCS using OpenSSL. This is a generic process that only relies on the free OpenSSL package
and not on any other software. It is appropriate when certificates are required for interfacing with
neighboring devices where the Microsoft Lync and OCS tools are not available, for test purposes, and
for providing output to interact with Certificate Authorities.
Cisco VCS using OpenSSL. This is a generic process that only relies on the free OpenSSL package
and not on any other software. It is appropriate when certificates are required for interfacing with
neighboring devices where the Microsoft Lync and OCS tools are not available, for test purposes, and
for providing output to interact with Certificate Authorities.
The output for the certificate request generation process can be given to a Certificate Authority that
may be internal or external to the organization, and which can be used to produce the X.509
certificates that can be used to authenticate the Cisco VCS to neighboring devices.
may be internal or external to the organization, and which can be used to produce the X.509
certificates that can be used to authenticate the Cisco VCS to neighboring devices.
This section also briefly describes how OpenSSL could be used to manage a private Certificate
Authority, but does not intend to be comprehensive. Various components of these processes can be
used when interfacing with third party CAs.
Authority, but does not intend to be comprehensive. Various components of these processes can be
used when interfacing with third party CAs.
OpenSSL and Mac OS X or Linux
OpenSSL is already installed on Mac OS X, and is usually installed on Linux.
OpenSSL and Windows
If you do not have OpenSSL already installed, this is available as a free download from
Choose the relevant 32 bit or 64 bit OpenSSL – the ‘Light’ version is all that is needed.
If you receive a warning while installing OpenSSL that C++ files cannot be found, load the “Visual C++
Redistributables” also available on this site and then re-load the OpenSSL software.
Redistributables” also available on this site and then re-load the OpenSSL software.
Create a certificate request using OpenSSL
This process will create a private key and certificate request for the server that can then be validated
by a CA. This could be a CA that has been created and managed locally, or a third-party CA.
by a CA. This could be a CA that has been created and managed locally, or a third-party CA.
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory)
For Mac OS X or Linux: stay in the root of the user’s directory.
2. For Windows: copy openssl.cfg to openssl_vcs.cfg
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the user’s current directory as
openssl_vcs.cfg
For Linux: copy /etc/ssl/openssl.cnf to the user’s current directory as openssl_vcs.cfg
openssl_vcs.cfg
For Linux: copy /etc/ssl/openssl.cnf to the user’s current directory as openssl_vcs.cfg
3. If the certificate is for a cluster of VCSs:
a. Use a text editor to edit the openssl_vcs.cfg file that was created by the above copy
command, and ensure that the line:
“req_extensions = v3_req # The extensions to add to a certificate request”
has no
#
at the beginning of the line – delete the
#
if it is there.
b. Scroll down to the “
[ v3_req ]
” section and below this section title add:
subjectAltName="DNS:<FQDN of VCS cluster>,DNS:<FQDN of VCS peer 1>,DNS:<FQDN
of VCS peer 2>,DNS:<FQDN of VCS peer n>"
of VCS peer 2>,DNS:<FQDN of VCS peer n>"
as the bottom line of this section (before) “
[ v3_ca ]
”, filling in the details for the VCS
deployment as appropriate.
c.
Save the file.
No changes need to be made to the openssl_vcs.cfg file if the certificate is for a single VCS.
4. Generate a private key by running the following command:
openssl genrsa -out privatekey.pem 2048