cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
985
Views
1
Helpful
1
Replies

Expressways certificates

audvintech
Level 1
Level 1

We are implementing CUCM with Expressways, and we are using "Cisco Expressway Certificate Creation and use, deployment guide", we are confused about creating a signed certificate using OpenSSL. The certificate request was created using the Expressway, it was downloaded and follow the steps described in the guide:

Creating a signed certificate using OpenSSL
This process signs the server certificate with the generated CA key, using the previously generated certificate request.
From a command prompt:
1.Ensure that you are in the demoCA directory.
2.Ensure that the certificate request file (certcsr.pem) is available:
lIf the certificate request was created using the Expressway (recommended process):
Copy the file downloaded from the Expressway into the demoCA directory and rename it as certcsr.pem.
lIf the certificate request was created using OpenSSL:
Copy the previously generated certificate request into the demoCA directory and then covert it to PEM format by running the following command:
openssl req -in certcsr.der -inform DER -out certcsr.pem -outform PEM
3.Generate a signed server certificate by running the following command:
openssl ca -config openssl_local.cfg -cert cacert.pem -keyfile private/cakey.pem -in certcsr.pem -out certs/server.pem -md sha1
If you receive a "failed to update database TXT_DB error number 2" error message, you can remove the contents of the index.txt file and then rerun the command.
4.You will be prompted to enter the password for the CA’s private key.
The signed certificate for the server is now available as demoCA/certs/server.pem. 

The question is the following, when the CSR is generated, the private key is hidden in the server and cannot be viewed or downloaded, so, how we can create a certificate if the command used in OpenSSL for do that includes the private key?. See Step 3 above. (cakey.pem)

Is it necessary to signed a certificate for each Expressway C and E or it's the same for both, no matter where CSR was generated?

What's the easy way to sign certificates ? Which CA is recommended for that?

 

Thank you,

 

 

 

 

 

 

 

 

 

1 Reply 1

Jaime Valencia
Cisco Employee
Cisco Employee

I don't think you're getting the flow of events here, those instructions are if you created the CSR WITH OPENSSL AS WELL, SO, you have the request, and the private key

That's the reason why the appendix 2 starts on how to create a CSR with openSSL, how to configure openSSL to act as a CA, to create a CA with openSSL, and FINALLY to sign the certificate, that you created in the first step of the appendix.

If you generate the CSR on Expressway, then you only need to sign it, but with a CA that does not require the private key for that.

Yes, each Expressway needs to have their certificate signed, you want to use a public CA for EXP-E. When you generate the CSR on EXP, it's pretty clear it's only for that server from the fields that it asks you to choose.

Most people simply use a Microsoft CA to sign certificates, you simple need to add the feature to a Windows Server, and configure it to do all this.

HTH

java

if this helps, please rate