Cisco Cisco TelePresence Video Communication Server Expressway
Creating a Certificate Authority using OpenSSL
This process creates a private key and certificate of a Certificate Authority (CA), which can then be used to
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
validate other certificates. Note that this will not be trusted by devices outside of those on which it is
explicitly installed.
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory).
For Mac OS X: stay in the root of the user’s directory.
2. Generate a private key for the CA by running the following command:
openssl genrsa -aes256 -out ca.key 4096
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The ca.key file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
This will prompt for a password with which to encrypt the private key: choose a strong password and
record it in a safe place. The ca.key file will be used to create the CA certificate and to sign other
certificates and must also be kept secure.
3. Generate the CA certificate by running the following command.
For Windows: openssl req -new -x509 -key ca.key -config openssl.cfg -sha1 -
extensions v3_ca -out ca.crt
For OS X: openssl req -new -x509 -key ca.key -sha1 -extensions v3_ca -out
ca.crt
extensions v3_ca -out ca.crt
For OS X: openssl req -new -x509 -key ca.key -sha1 -extensions v3_ca -out
ca.crt
4. Enter passphrase for the key, and then enter the data requested, including:
l
Country
l
State or province
l
Locality name
l
Organization name
l
Organizational unit
l
Common name – this is typically the name of a contact person for this CA
l
Email address – optional, can leave blank
After entering the requested data, the operation completes and the certificate authority certificate ca.crt is
now available.
now available.
Creating a signed certificate using OpenSSL
This process signs the server certificate with the generated CA key, using the previously generated
certificate request.
certificate request.
From a command prompt:
1. Convert the previously generated certificate request to PEM format by running the following command:
openssl x509 -in certcsr.der -inform DER -out certcsr.pem -outform PEM
2. Generate a signed server certificate by running the following command:
openssl ca -outdir . -config openssl.cfg -cert ca.crt -keyfile ca.key -in
certcsr.pem -out server.pem -md sha1
3. You will be prompted to enter the password for the CA’s private key.
The signed certificate for the server is now available as server.pem.
Certificate Creation and Use With Cisco VCS Deployment Guide (X7.2)
Page 15 of 36
Appendix 2 – Certificate generation using OpenSSL only