This document describes how to create a certificate signing request (CSR) on the
Cisco Content Services Switch Secure Content Accelerator (CSS SCA) via telnet.
SCA running 188.8.131.52 code or higher
Before You Begin
Make sure you know the fully qualified domain name used for your server
or VIP address. The domain name clients use to connect to your site must match
the domain name on your certificate.
a Certificate Signing Request Via Telnet on the SCA
The SCA uses OpenSSL to create the certificate requests and private keys. OpenSSL
an industry-accepted implementation, and is used in many other ssl devices, including
Apache web servers. For more information on OpenSSL, refer to The
It is very important to backup your certificate and private keys. The certificate
is useless without the private key. In the first step you will be shown how
to create a private key on the SCA and have it exported to a tftp server. In
the second step, you will be shown how to create a certificate signing request
(CSR) using the private key you just created. Finally, you will be shown how
to import the certificate your Certificate Authority (CA) created, based on
your certificate signing request. You should also save the certificate that
you receive from the Certificate Authority.
The first step is to create the private key. For security purposes, make sure
you encrypt the private key with a passphrase. You will be asked to enter a
passphrase, and then to verify the passphrase by typing it in again.
This example creates a 1024 bits private key, DES
encrypted using a passphrase, and write the key to a TFTP
server with IP address 10.1.1.101.
sslone# config (config[sslone])# ssl (config-ssl[sslone])# key new_key
genrsa bits 1024 encrypt des output tftp://10.1.1.101/new_key Enter PEM pass phrase for
Verifying password - Enter
PEM phrase for key encryption:
-----BEGIN RSA PRIVATE KEY-----
Writing RSA key to: tftp://10.1.1.101/new_key
Sent 958 bytes in 0.2 seconds [38320
The private key will always be displayed and stored locally upon successful
creation, even if it could not be copied to the TFTP server.
Create the CSR. Issue the command gencsr key (specify the private key
you just created). You will be prompted to enter this information:
State or Province
Organizational Unit Name
gencsr key new_key
The following information
will be incorporated into your CSR (Certificate
Country, State or Province, Locality, Organization
Name, Organizational Unit
Name, Domain Name, and Email Address).
Enter the two-letter ISO
abbreviation for your country (for example, US
for the United States):
=> Country : US
Enter the name of the state
or province where your organization's head
office is located.
Please enter the full name (do not abbreviate).
=> State or Province :
Enter the name of the city
where your organization's head office is
Example: San Jose
=> Locality : Boxborough
Enter the name of the organization
that owns the domain name. The
organization name (corporation,
limited partnership, university, or
government agency) must
be registered with some authority at the national,
state, or city level. Use
the legal name under which your organization is
registered. Please do not
abbreviate your organization's name and DO NOT
use any of the following
> ~ ! @ # $ ^ * /
\ ( ) ?.
Example: Example Corporation
=> Organization Name :Cisco
Enter the name of the department
or group that will use the certificate.
Example: IT Department
=> Organizational Unit Name
Enter the "fully qualified
domain name" (or FQDN) used for DNS lookups
of your server (for example:
www.example.com). Browsers use this
information to identify
your Web site. Some browsers will refuse to
establish a secure connection
with your site if the server name does not
match the Domain Name
in the certificate. Please do not include the
protocol specifier "http://" or any
port numbers or path names. Do not
use wildcard characters
such as * or ?, and do not use an IP address.
=> Domain Name / Common
Enter the e-mail address
of the administrator responsible for the
=> Email address : firstname.lastname@example.org Summary of your Certificate Signing
State or Province: Massachusetts
Organization Name: Cisco
Organizational Unit Name:
Domain Name: www.yourdomain.com
Email address: email@example.com
Is the above information
correct? (y/n): y
Your CSR is displayed below.
To submit the CSR to a certifying
authority (CA), like Verisign, cut and
paste the following into
the field provided in the CA's online request
form. Remember to include
the beginning and ending tags,
-----BEGIN CERTIFICATE REQUEST-----"
-----END CERTIFICATE REQUEST-----"
Would you like to save certificate
request to a URL ? (y/n): n Would you like to self sign
this certificate ? (y/n): n (config-ssl[sslone])#
Copy and paste the bolded section and provide this to the Certificate Authority
(CA) of your choice. They will provide you with the resulting certificate. Most
certificate authorities will allow you to request a test certificate.
Once the certificate has been received, you can use the Privacy-Enhanced Mail
(PEM) paste feature to upload the certificate to the SCA.