Cisco Cisco TelePresence Video Communication Server Expressway
Certificate generation process using Microsoft Certification Authority and OpenSSL
Cisco VCS Deployment Guide: Certificate creation and use with Cisco VCS
Page 7 of 33
Certificate generation process using Microsoft
Certification Authority and OpenSSL
Certification Authority and OpenSSL
This procedure uses OpenSSL to create a certificate request, and uses the Microsoft Certification
Authority application to generate the signed server certificate.
Authority application to generate the signed server certificate.
Create a certificate request using OpenSSL
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory)
For Mac OS X: stay in the root of the user’s directory.
2. For Windows: copy openssl.cfg to openssl_vcs.cfg
For Mac OS X: copy /system/library/openssl/openssl.cnf to the root of the user’s directory as
openssl_vcs.cfg
openssl_vcs.cfg
3. If the certificate is for a cluster of VCSs:
a. Use a text editor to edit the openssl_vcs.cfg file that was created by the above copy
command, and ensure that the line:
“req_extensions = v3_req # The extensions to add to a certificate request”
has no
#
at the beginning of the line – delete the
#
if it is there.
b. Scroll down to the “
[ v3_req ]
” section and below this section title add:
subjectAltName="DNS:<FQDN of VCS cluster>,DNS:<FQDN of VCS peer 1>,DNS:<FQDN
of VCS peer 2>,DNS:<FQDN of VCS peer n>"
of VCS peer 2>,DNS:<FQDN of VCS peer n>"
as the bottom line of this section (before) “
[ v3_ca ]
”, filling in the details for the VCS
deployment as appropriate (cluster FQDN and FQDNs of all peers).
c.
Save the file.
No changes need to be made to the openssl_vcs.cfg file if the certificate is for a single VCS.
4. Generate a private key by running the following command:
openssl genrsa -out privatekey.pem 2048
The
privatekey.pem
file will be used to create the certificate request and will also be required for
loading into the VCS. The file is created in the directory that the
openssl
command is run from.
5. Generate a certificate request (suitable for use with Microsoft Certification Authority) by running
the following command:
openssl req –new –key privatekey.pem –config openssl_vcs.cfg –out certcsr.der
-outform DER
-outform DER
6. Enter the data requested, including:
•
Country
•
State or province
•
Locality name
•
Organization name
•
Organizational unit
•
Common name – this is the VCS cluster FQDN if the certificate is for a cluster of VCSs or it is
the FQDN of the VCS if the certificate is for a single VCS
the FQDN of the VCS if the certificate is for a single VCS
•
Email address – optional, can leave blank
•
A challenge password – optional, can leave blank
•
An optional company name – optional, can leave blank
After entering the requested data, the certificate request file certcsr.der is now available.