Cisco Cisco TelePresence Video Communication Server Expressway
n
A demoCA directory in the current directory, with 3 subdirectories certs, newcerts and private.
n
An empty file called index.txt in the demoCA directory.
n
A file called serial in the demoCA directory, storing a 2-digit number, such as “10”.
For example, use the commands:
mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial
Creating a Certificate Authority using OpenSSL
This process creates a private key and certificate of a Certificate Authority (CA), which can then be used to
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
From a command prompt:
1. Ensure that you are in the demoCA directory.
2. For Windows: copy openssl.cfg from the directory where OpenSSL is installed to the demoCA directory
and rename it as openssl_local.cfg.
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory and rename it as
openssl_local.cfg.
For Mac OS X: copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory and rename it as
openssl_local.cfg.
3. Use a text editor to edit the openssl_local.cfg file that was created by the above copy command. Make
the following modifications to the [CA_default] section:
a. Ensure that the line copy_extensions = copy does not have a # at the beginning of the line.
Delete the # if it is there. If the line remains commented out, it will strip attributes in the CSR and the
SSL Server and SSL Client attributes will not appear in the certificate.
SSL Server and SSL Client attributes will not appear in the certificate.
b. Change policy = policy_match to policy = policy_anything
c. Change dir = ./demoCA to dir = .
d. Optionally, change default_days = 365 (1 year validity of the generated certificate)
c. Change dir = ./demoCA to dir = .
d. Optionally, change default_days = 365 (1 year validity of the generated certificate)
to default_days = 3650 (10 years, or choose another suitable value).
e. Save the file.
4. Generate a private key for the CA by running the following command:
openssl genrsa -aes256 -out private/cakey.pem 4096
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The cakey.pem file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The cakey.pem file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
5. Generate the CA certificate by running the following command.
For Windows: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
For OS X: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
For OS X: openssl req -new -x509 –days 3650 -key private/cakey.pem -config
openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
6. Enter a passphrase for the key, and then enter the data requested, including:
l
Country
l
State or province
l
Locality name
Cisco TelePresence VCS Certificate Creation and Use Deployment Guide (X8.2)
Page 20 of 29
Appendix 2: Certificate generation using OpenSSL only