Cisco Cisco TelePresence Video Communication Server Expressway
Loading certificates and keys onto VCS
The VCS uses standard X.509 certificates. The certificate information must be supplied to the VCS in PEM
format. Typically 3 elements are loaded:
format. Typically 3 elements are loaded:
n
The server certificate (which is generated by the certificate authority, identifying the ID of the certificate
holder, and should be able to act as both a client and server certificate).
holder, and should be able to act as both a client and server certificate).
n
The private key (used to sign data sent to the client, and decrypt data sent from the client, encrypted with
the public key in the server certificate). This must only be kept on the VCS and backed up in a safe place –
security of the TLS communications relies upon this being kept secret.
the public key in the server certificate). This must only be kept on the VCS and backed up in a safe place –
security of the TLS communications relies upon this being kept secret.
n
A list of certificates of trusted certificate authorities.
Note: New installations of VCS software (from X8.1 onwards) ship with a temporary trusted CA, and a server
certificate issued by that temporary CA. We strongly recommend that you replace the server certificate with
one generated by a trusted certificate authority, and that you install CA certificates for the authorities that you
trust.
certificate issued by that temporary CA. We strongly recommend that you replace the server certificate with
one generated by a trusted certificate authority, and that you install CA certificates for the authorities that you
trust.
Loading a server certificate and private key onto VCS
The VCS’s server certificate is used to identify the VCS when it communicates with client systems using
TLS encryption, and with web browsers over HTTPS.
TLS encryption, and with web browsers over HTTPS.
To upload a server certificate:
1. Go to
Maintenance > Security certificates > Server certificate
.
2. Use the Browse button in the
Upload new certificate
section to select and upload the server certificate
PEM file.
3. If you used an external system to generate the Certificate Signing Request (CSR) you must also upload
the server private key PEM file that was used to encrypt the server certificate. (The private key file will
have been automatically generated and stored earlier if the VCS was used to produce the CSR for this
server certificate.)
have been automatically generated and stored earlier if the VCS was used to produce the CSR for this
server certificate.)
l
The server private key PEM file must not be password protected.
l
You cannot upload a server private key if a certificate signing request is in progress.
4. Click Upload server certificate data.
The certificate signing request storage location changed in X8.
When you generate a CSR in X7, the application puts csr.pem and privkey_csr.pem into
/tandberg/persistent/certs.
/tandberg/persistent/certs.
When you generate a CSR in X8, the application puts csr.pem and privkey.pem into
/tandberg/persistent/certs/generated_csr.
/tandberg/persistent/certs/generated_csr.
If you want to upgrade from X7 and have an unsubmitted CSR, then we recommend discarding the
CSR before upgrade, and then regenerating the CSR after upgrade.
CSR before upgrade, and then regenerating the CSR after upgrade.
Cisco TelePresence VCS Certificate Creation and Use Deployment Guide (X8.5.2)
Page 12 of 32
Loading certificates and keys onto VCS