Cisco Cisco TelePresence Video Communication Server Expressway
Introduction
Cisco VCS Deployment Guide: Certificate creation and use with Cisco VCS
Page 4 of 33
Introduction
Objectives and intended audience
This deployment guide provides instructions on how to create X.509 cryptographic certificates for use
with the Cisco TelePresence Video Communication Server (Cisco VCS), and how to load them into
Cisco VCS.
with the Cisco TelePresence Video Communication Server (Cisco VCS), and how to load them into
Cisco VCS.
PKI Introduction
Public Key Infrastructure (PKI) provides the mechanisms through which communications can be
secured (encrypted and integrity protected) and identities can be verified. Underlying PKI is:
secured (encrypted and integrity protected) and identities can be verified. Underlying PKI is:
A public/private key pair
A public key is used to encrypt data sent to a server, but only the private key (kept secret by the
server) can be used to decrypt it.
server) can be used to decrypt it.
Signatures of data
Data can be “signed” by a server, by using a combination of a cryptographic hash of the data and
the server’s private key. A client can verify the signature by using the server’s public key and
verifying the same hash. This ensures the data has been sent from the expected server, and has
not been tampered with.
the server’s private key. A client can verify the signature by using the server’s public key and
verifying the same hash. This ensures the data has been sent from the expected server, and has
not been tampered with.
Certificates
A certificate is a wrapper around a public key, and provides information about the owner of the
key. This metadata is provided in X.509 format, and typically includes the server name and
contact details for the owner.
key. This metadata is provided in X.509 format, and typically includes the server name and
contact details for the owner.
A certificate chain
A certificate can be signed by a Certificate Authority (CA) using its own private key. In turn,
therefore, a certificate can be verified as being signed by a CA by checking the signature against
the CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that
they trust, and can thus verify the certificates of individual servers.
therefore, a certificate can be verified as being signed by a CA by checking the signature against
the CA’s certificate (public key). Web browsers and other clients have a list of CA certificates that
they trust, and can thus verify the certificates of individual servers.
Transport Layer Security (TLS) is the standard mechanism for securing a TCP connection between
hosts on a TCP/IP network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify
traffic. The following is an overview of certificate use with TLS:
hosts on a TCP/IP network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify
traffic. The following is an overview of certificate use with TLS:
1. An initial TCP connection is made, and the client sends its capabilities (including cipher suites)
and a random number.
2. The sever responds with its choice of those capabilities, another random number, and its
certificate.
3. The client verifies that the server certificate was issued (signed) by a CA that it trusts.
4. The client sends a “pre-master secret”, encrypted with the server’s public key.
5. This pre-master secret, combined with the exchanged random numbers (to prevent replay
attacks), is used to generate a “master secret”, with which the remaining communications of this
TLS session are encrypted between the client and server.
TLS session are encrypted between the client and server.
The following sections provide a brief overview of how these PKI components can be used with the
Cisco VCS.
Cisco VCS.
Overview of certificate use on the Cisco VCS
Cisco VCS needs certificates for:
Secure HTTP with TLS (HTTPS) connectivity