Cisco Cisco TelePresence Video Communication Server Expressway
3. If the certificate is for a cluster of VCSs:
a. Under the same “[ v3_req ]” section add:
subjectAltName="DNS:<FQDN of VCS cluster>,DNS:<FQDN of peer 1>,DNS:<FQDN
of peer 2>,DNS:<FQDN of peer n>"
as the bottom line of this section (before “[ v3_ca ]”), filling in the details for the VCS deployment as
appropriate (cluster FQDN and FQDNs of all peers).
as the bottom line of this section (before “[ v3_ca ]”), filling in the details for the VCS deployment as
appropriate (cluster FQDN and FQDNs of all peers).
b. Save the file.
4. Generate a private key by running the following command:
openssl genrsa -out privatekey.pem 2048
The privatekey.pem file will be used to create the certificate request and will also be required for loading
into the VCS. The file is created in the directory that the openssl command is run from.
The privatekey.pem file will be used to create the certificate request and will also be required for loading
into the VCS. The file is created in the directory that the openssl command is run from.
5. Generate a certificate request (suitable for use with Microsoft Certification Authority) by running the
following command:
openssl req -new -key privatekey.pem -config openssl_request.cfg -out
openssl req -new -key privatekey.pem -config openssl_request.cfg -out
certcsr.der -outform DER -sha1
6. Enter the data requested, including:
l
Country
l
State or province
l
Locality name
l
Organization name
l
Organizational unit
l
Common name - this is the VCS cluster FQDN if the certificate is for a cluster of VCSs or it is the
FQDN of the VCS if the certificate is for a single VCS
FQDN of the VCS if the certificate is for a single VCS
l
Email address - optional, can leave blank
l
A challenge password - optional, can leave blank
l
An optional company name - optional, can leave blank
After entering the requested data, the certificate request file certcsr.der is now available.
To validate that DNS entries have been entered correctly into the request, the certcsr.der file can be
decoded using the command:
decoded using the command:
openssl req -text -noout -in certcsr.der -inform DER
This certificate request file can be passed to an internal or third-party Certificate Authority for generating the
X.509 certificate. OpenSSL can be used to operate a private CA, as described below.
X.509 certificate. OpenSSL can be used to operate a private CA, as described below.
Operating as a Certificate Authority using OpenSSL
A major deployment is likely to make use of a third-party certificate authority, or already have one internal to
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
an organization’s IT department. However, you can use OpenSSL to manage certificates in a private
certificate authority as outlined below.
Configuring OpenSSL to act as a CA
OpenSSL is powerful software, and when operating as a CA, requires a number of directories and databases
to be configured for tracking issued certificates.
to be configured for tracking issued certificates.
The list of directories and files can be found in the openssl configuration file under the section [ CA_
default ]
default ]
. By default, the files/directories required to be created are:
Cisco TelePresence VCS Certificate Creation and Use Deployment Guide (X8.2)
Page 19 of 29
Appendix 2: Certificate generation using OpenSSL only