Hello,
you have to create CSR via PCA root shell since it is just not available anymore since PCA 11.5
Cisco just fixed it as Documentation Defect and removed it from the manuals
CSCuz00062 -CSR Generation Feature has to be removed in PCA 11.5
CSCvc23999 - Doc Defect - PCA 11.5 cannot generate CSR
Below a guideline which I've verified with latest PCA 11.6 build. Hope it helps. If something is unclear just let me know.
I changed IP addresses and hostnames to dummy values (pcahostname.domain, 127.0.0.1) and removed any sensitive information in the guideline since I implemented it on a customer environment.
#first login via SSH (port 26) on PCA and change to the root shell (if not activated so far, enable it first with #root_enable command and set a password - required on each future root login).
login as: admin
admin@127.0.0.1's password:
login as: admin
admin@127.0.0.1's password:
Last login: Fri Aug 4 18:02:15 2017 from 127.0.0.1
pcahostname/admin# root
Enter root patch password :
Starting root bash shell ...
#change to a temporary working directory e.g. /tmp/certs
#PCA is cleaning up the /tmp directory, hence I've created another sub directory.
ade # cd /tmp
ade # mkdir certs
ade # cd /certs
#create a config file which shortens the openssl CSR statement and
#reduces problems caused by typos or if you prepare the config file in advance.
#tls web server authentication should be enough from my point of view, but provided customer certificate template of CA required both (client and server in extended key usage).
vi openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
commonName = pcahostname.domain
organizationalUnitName = TheCompany
organizationName = TheOrganization
localityName = TheCity
stateOrProvinceName = TheState
countryName = DE
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = pcahostname.domain
# :wq to write and quit ;)
# generate now a private key with passphrase and a secure cipher
# please change the passphrase and store it with the key file on a safe place.
# in our case 2048 bit long private key protected by an passphrase and encrypted by AES 256 was good enough.
openssl genrsa -aes256 -passout pass:******** -out pcahostname.key 2048
Generating RSA private key, 2048 bit long modulus
.....
...
e is 65537 (0x10001)
# generate now the CSR by using the key and config. Everytime you use the key file you have to enter the passphrase again.
openssl req -new -out pcahostname.csr -key pcahostname.key -config openssl.cnf
Enter pass phrase for pcahostname.key:
ade # ls -ltr | grep *.csr
-rw-rw-rw- 1 root gadmin 1249 Aug 8 19:21 pcahostname.csr
# verify CSR:
ade # openssl req -text -noout -in pcahostname.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=pcahostname.domain, OU=TheOrgUnit, O=TheCompany, L=TheCity, ST=Vienna, C=DE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:.......
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:pcahostname.domain, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
#get Base64-encoded CSR by simply using cat and copy+paste it to your Signing Certificate Authority:
ade # cat pcahostname.csr
-----BEGIN CERTIFICATE REQUEST-----
.....................
-----END CERTIFICATE REQUEST-----
# sign CSR on your CA and transfer the signed *.crt file together with the CA certificates back to the system. You can use sftp to transfer files from/to PCA. I used Prime Deployment upgrade directory ;)
#combine the signed server certificate (pcahostname.crt) with the certificate chain of the used Certificate Authority (e.g. root.crt, sub.crt if you have a Root and Intermedia Sub CA):
After combining the CA certificates into one file, verify validity of certificate chain:
openssl verify -verbose -purpose sslserver -CAfile root.crt certs.pem
certs.pem: OK
# Package the key and cert in a PKCS12 file:
# important note: the certificate mus contain primecollab alias and the key password for primecollab alias must be the same as the certificate password as described in the Cisco documentation.
openssl pkcs12 -export -in pcahostname.crt -inkey pcahostname.key -certfile certs.pem -name "primecollab" -out pcahostname.p12
Enter pass phrase for pcahostname.key:
Enter Export Password:
Verifying - Enter Export Password:
#verify the pkcs#12 file:
openssl pkcs12 -info -in pcahostname.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: AA BB ......
friendlyName: primecollab
subject=/C=DE/ST=.../CN=pcahostname.domain
issuer=.... Signing CA .....
-----BEGIN CERTIFICATE-----
……..abbreviated for security reasons…..
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
.....
#You see two more certificates (if cert chain consists of two certs) and the private key as final output:
-----BEGIN ENCRYPTED PRIVATE KEY-----
……..abbreviated for security reasons…..
-----END ENCRYPTED PRIVATE KEY-----
# copy all your certs files from PCA via sftp to a safe location
# upload now pkcs 12 file in PCA GUI (System Administration > Certificate Management > PrimeCollaboration Certificate Management) and enter the defined certificate password.
You should receive a green success message in the bottom right corner. If not something went wrong with your certificate.
# restart PCA application in PCA standard console
application stop cpcm
application start cpcm
# all services are up & running after 7-8min since PCA 11.6 (fast then older release)
# DONE!
