Cisco Cisco TelePresence Video Communication Server Expressway
Generating a certificate signing request (CSR)
A CSR contains the identity information about the owner of a private key. It can be passed to a third-party or
internal certification authority for generating a signed certificate, or it can be used in conjunction with an
application such as Microsoft Certification Authority or OpenSSL.
internal certification authority for generating a signed certificate, or it can be used in conjunction with an
application such as Microsoft Certification Authority or OpenSSL.
Creating a CSR using VCS (X7.2 or later)
The VCS can generate server certificate signing requests. This removes the need to use an external
mechanism to generate and obtain certificate requests.
mechanism to generate and obtain certificate requests.
To generate a CSR:
1. Go to
Maintenance > Certificate management > Server certificate
.
2. Click Generate CSR to go to the
Generate CSR
page.
3. Enter the required properties for the certificate.
l
See
below if your VCS is part of a cluster.
l
The certificate request includes automatically the public key that will be used in the certificate, and the
client and server authentication Enhanced Key Usage (EKU) extension.
client and server authentication Enhanced Key Usage (EKU) extension.
4. Click Generate CSR. The system will produce a signing request and an associated private key.
Note that the private key is stored securely on the VCS and cannot be viewed or downloaded.
5. You are returned to the
Server certificate
page. From here you can:
l
Download the request to your local file system so that it can be sent to a certificate authority. You are
prompted to save the file (the exact wording depends on your browser).
prompted to save the file (the exact wording depends on your browser).
l
View the current request.
Note that only one signing request can be in progress at any one time. This is because the VCS has to keep
track of the private key file associated with the current request. To discard the current request and start a
new request, click Discard CSR.
track of the private key file associated with the current request. To discard the current request and start a
new request, click Discard CSR.
You must now authorize the request and generate a signed PEM certificate file. You can pass it to a third-
party or internal certification authority, or use it in conjunction with an application such as Microsoft
Certification Authority (see
party or internal certification authority, or use it in conjunction with an application such as Microsoft
Certification Authority (see
) or OpenSSL (see
).
When the signed server certificate is received back from the certificate authority, it must be uploaded to the
VCS as described in
VCS as described in
Server certificates and clustered systems
When a CSR is generated, a single request and private key combination is generated for that peer only.
If you have a cluster of VCSs, you must generate a separate signing request on each peer. Those requests
must then be sent to the certificate authority and the returned server certificates uploaded to each relevant
peer.
must then be sent to the certificate authority and the returned server certificates uploaded to each relevant
peer.
You must ensure that the correct server certificate is uploaded to the appropriate peer, otherwise the stored
private key on each peer will not correspond to the uploaded certificate.
private key on each peer will not correspond to the uploaded certificate.
Certificate Creation and Use With Cisco VCS Deployment Guide (X7.2)
Page 5 of 36
Generating a certificate signing request (CSR)