Showing results for 
Search instead for 
Did you mean: 

How to Renew the Expressway servers' cert.

Chi Fai Leung
Level 1
Level 1


My Cisco Expressway servers had singed the Godaddy SAN cert. and showed the expired.
Now, I am going to renew the cert. on my Expressway Edge server.
It allow me to upload the new server cert. and it must also upload the private key, but I have not get any private key when renew the Godaddy SAN cert.? Must regenerate the new CSR when renew? Is it previous generate the private key and I have to keep it b4?

11 Replies 11

Jaime Valencia
Cisco Employee
Cisco Employee

VCS provides two ways in which you can upload the server certificate, the first one, is that you're going to generate the CSR, and VCS will automatically generate the private key. You just need to get the csr signed, to then upload it. As the screenshot says, you don't have any CSR going on right now.

The other option, is that you'll use other option, like openssl, to generate the CSR/certificate AND the private key, that when you use the other option.

You can use either one, if you just need to get a CSR signed, just use the first one.

The VCS documentation has a whole document dedicated to certificates, have you reviewed it???



if this helps, please rate

Renew the cert. = Regenerate the new CSR?

Yes, if all you want is to get a CSR signed, generate a CSR and have it signed.

You really should read the documentation around certificates as they're VERY important and you need to understand how they work.



if this helps, please rate

I'm actually in the same situation right now.  Godaddy automatically renewed the existing cert using the key that was used on the original cert.  However, it seems that the expressway server is forcing one to re-upload the same private key from a year earlier.  If you have not kept your key in a safe place and/or have misplaced/deleted it, you will be forced to 1) generate a new private key CSR and 2) revoke the renewal certificate from Godaddy and generate a new one based on the new CSR just created.

Most other systems i use allow a certificate to be renewed without the original private key as this should already be stored securely by the system.  Guess it cant all be a breeze. 

edit: forgot to add that extracting the private key out of express way requires CLI root access and an unpublished command to display the private key.  Maybe TAC has this command; i don't have it saved :|

If you have root access to your VCS, you can download the private key that was uploaded from your existing certificate using WinSCP.  The directory certificates and private keys get uploaded to is located under root/tandberg/persistent/certs.

Hi Patrick (+5)

Came across this post while looking for a way to delete an expired server cert on our expressway servers. I was able to find the old servers certs in this folder. Thanks

Please rate all useful posts

Hi Ayodeji


I want to delete certs that expired in February 2019, from the attached which one should be deleted?



Patrick after login into to my expressway, I observed that I do not see any expired server certs. Looks like expressway only keeps a copy of the server cert and doesnt retain the old ones. I have an issue where my monitoring software keeps generating alarms for a cert that is about to expire even though I have renewed the cert.

Or is there a folder where old expired certs are kept?

Please rate all useful posts

That's the only folder that I'm aware of.

Could the alert be coming from an old certificate CA that was included with the VCS/Expressway?

Depending on when the server was installed, with earlier versions (I believe it was before X8.x software), Cisco did include a bunch of default CAs.

Its on X8.8.1 and I am pretty sure the alert is for the old server cert because  of the date. I am just not sure where its getting it from since those certs no longer exists on the servers

Please rate all useful posts

Another way, for obtain privatekey PEM, is making a backup, and decompressing it. In Tandberg subfolder is the golden file.