Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 2 – Certificate generation using
OpenSSL only
OpenSSL only
This section describes the process for generating a private key and certificate request for the VCS using
OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices where the
Microsoft Lync and OCS tools are not available, for test purposes, and for providing output to interact with
Certificate Authorities.
OpenSSL. This is a generic process that relies only on the free OpenSSL package and not on any other
software. It is appropriate when certificates are required for interfacing with neighboring devices where the
Microsoft Lync and OCS tools are not available, for test purposes, and for providing output to interact with
Certificate Authorities.
The output for the certificate request generation process can be given to a Certificate Authority which may be
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the VCS to authenticate itself with neighboring devices.
internal or external to the organization, and which can be used to produce the X.509 certificates required by
the VCS to authenticate itself with neighboring devices.
This section also briefly describes how OpenSSL could be used to manage a private Certificate Authority,
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
but does not intend to be comprehensive. Various components of these processes can be used when
interfacing with third party CAs.
OpenSSL and Mac OS X or Linux
OpenSSL is already installed on Mac OS X, and is usually installed on Linux.
OpenSSL and Windows
If you do not have OpenSSL already installed, this is available as a free download from
Choose the relevant 32 bit or 64 bit OpenSSL - the ‘Light’ version is all that is needed.
If you receive a warning while installing OpenSSL that C++ files cannot be found, load the “Visual C++
Redistributables” also available on this site and then re-load the OpenSSL software.
Redistributables” also available on this site and then re-load the OpenSSL software.
Creating a certificate request using OpenSSL
This process creates a private key and certificate request for the server that can then be validated by a CA.
This could be a CA that has been created and managed locally, or a third-party CA.
This could be a CA that has been created and managed locally, or a third-party CA.
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory).
For Mac OS X: stay in the root of the user’s directory.
2. For Windows: copy openssl.cfg to openssl_vcs.cfg
For Mac OS X: copy /system/library/openssl/openssl.cnf to the root of the user’s directory as
openssl_vcs.cfg
openssl_vcs.cfg
3. If the certificate is for a cluster of VCSs:
a. Use a text editor to edit the openssl_vcs.cfg file that was created by the above copy command, and
ensure that the line:
“req_extensions = v3_req # The extensions to add to a certificate
“req_extensions = v3_req # The extensions to add to a certificate
request”
has no # at the beginning of the line - delete the # if it is there.
has no # at the beginning of the line - delete the # if it is there.
b. Scroll down to the “[ v3_req ]” section and below this section title add:
subjectAltName="DNS:<FQDN of VCS cluster>,DNS:<FQDN of peer 1>,DNS:<FQDN
of peer 2>,DNS:<FQDN of peer n>"
Certificate Creation and Use With Cisco VCS Deployment Guide (X7.2)
Page 13 of 36
Appendix 2 – Certificate generation using OpenSSL only