Guest

Cisco SCA 11000 Series Secure Content Accelerators

How to Create a Certificate Signing Request on the CSS SCA

Document ID: 22400

Updated: May 24, 2004

   Print


Contents

          Introduction
          Components Used
          Before You Begin
          Creating a Certificate Signing Request Via Telnet on the SCA
          Step-by-Step Instructions
          Troubleshooting
          Related Information


Introduction

This document describes how to create a certificate signing request (CSR) on the Cisco Content Services Switch Secure Content Accelerator (CSS SCA) via telnet.

Components Used

  •     SCA running 3.1.0.27 code or higher
  •     Telnet
  •     Certificate Authority

Before You Begin

 Make sure you know the fully qualified domain name used for your server or VIP address. The domain name clients use to connect to your site must match the domain name on your certificate.

Creating a Certificate Signing Request Via Telnet on the SCA

The SCA uses OpenSSL to create the certificate requests and private keys. OpenSSL an industry-accepted implementation, and is used in many other ssl devices, including Apache web servers. For more information on OpenSSL, refer to The OpenSSL Projectleaving cisco.com

It is very important to backup your certificate and private keys. The certificate is useless without the private key. In the first step you will be shown how to create a private key on the SCA and have it exported to a tftp server. In the second step, you will be shown how to create a certificate signing request (CSR) using the private key you just created. Finally, you will be shown how to import the certificate your Certificate Authority (CA) created, based on your certificate signing request. You should also save the certificate that you receive from the Certificate Authority.

Step-by-Step Instructions

Step 1

The first step is to create the private key. For security purposes, make sure you encrypt the private key with a passphrase. You will be asked to enter a passphrase, and then to verify the passphrase by typing it in again.

This example creates a 1024 bits private key, DES encrypted using a passphrase, and write the key to a TFTP server with IP address 10.1.1.101.
 

        sslone# config
       (config[sslone])# ssl
       (config-ssl[sslone])# key new_key create
        config-ssl-key[new_key])# genrsa bits 1024 encrypt des output tftp://10.1.1.101/new_key
        Enter PEM pass phrase for key encryption:
        Verifying password - Enter PEM phrase for key encryption:
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-CBC,0FAFA1822C899B45

        tUqbGRi+MKH8+yixft/sD5zrGSlJ9l6o896tOBClSBMEZMTAT+xTR+qUpsBEe3EH
        DVYtmWwasA7EpHm/AVEd65xoURZ+ZOJWx9suoplV5WjEqyOQVR7mrblLJ0Xr3e6j
        ERt7XgTPy/BpPmTl0VBOJ+Zt1SMQ6xcMpnDxVY4BQ59tBappjwg1b/6i2yYBOkNe
        NxzQjPjrQ/rgj+O6h9LWRGm2Xz0YJ7Q4u2+8QBP9S1ZSgy1FYlmLtbdnXB65Xfea
        3rtwtMfVGDhHLhR0Js+e5wav5dv1BBwpuQN8bK+srJhxlTFqAQuoaJKRn8syrb4Q
        jcafaqkxUvJlBCU/Ba7gLn5Xe7tZh0Np1hGprC6e6mnR1ygH1wYeQdTDJzctWcP2
        B5dTqECjKR0gF6kSFrCHk5ZmTkXppqrDzasOl8dRVFa1CAg/OoVYhGI20hTQFeeC
        2ichVypbpTMq+lU70ifY2HXmCGiCGu80pJjv9aLvW0k3Ty9LzwRYQFKEJZt9ZV1h
        iqVDAF3rpx5Aad6Z5jsn7X0e+jQpwxHMoJOGVjgGriziuNWnX8XFpPBnAeaVVDhu
        Op2HymfUJ0rfcbD1bZp9SxtNtbnWUUSqnJTl5/GX8b94rOvPJUzML1CxCh8h+P0n
        0CAGAvG62a8HAqlhivKhWhgOl0gG4y0DjSp9zZyTFFbYw4fxaWQ0npKak0k4Gwqz
        /juPjddubRwvnkOs5lyl0Ei2OrNPXIh+8r4hDvzmMy2dYBAgcVCFSnHcth++PPIX
        VbK+5Z8wqA0CSTQW/2Z2dfDPLHJqX0w0oeAKAkzDF8t2bSohWDfI5A==
        -----END RSA PRIVATE KEY-----

        Writing RSA key to: tftp://10.1.1.101/new_key
        Sent 958 bytes in 0.2 seconds [38320 bits/sec]
        (config-ssl-key[new_key])#
 

The private key will always be displayed and stored locally upon successful creation, even if it could not be copied to the TFTP server.

Step 2

Create the CSR. Issue the command gencsr key (specify the private key you just created). You will be prompted to enter this information:

  • Country
  • State or Province
  • Locality
  • Organization
  • Name
  • Organizational Unit Name
  • Domain Name
  • Email Address

        (config-ssl[sslone])# gencsr key new_key

        The following information will be incorporated into your CSR (Certificate
        signing request):  Country, State or Province, Locality, Organization
        Name, Organizational Unit Name, Domain Name, and Email Address).

        Enter the two-letter ISO abbreviation for your country (for example, US
        for the United States):
         Example: US
        => Country []: US

        Enter the name of the state or province where your organization's head
        office is located.  Please enter the full name (do not abbreviate).
         Example: California
        => State or Province []: Massachusetts

        Enter the name of the city where your organization's head office is
        located.
         Example: San Jose
        => Locality []: Boxborough

        Enter the name of the organization that owns the domain name. The
        organization name (corporation, limited partnership, university, or
        government agency) must be registered with some authority at the national,
        state, or city level. Use the legal name under which your organization is
        registered. Please do not abbreviate your organization's name and DO NOT
        use any of the following characters:
         > ~ ! @ # $ ^ * / \ ( ) ?.
         Example: Example Corporation
        => Organization Name []:Cisco Systems

        Enter the name of the department or group that will use the certificate.

         Example: IT Department
        => Organizational Unit Name []: Support

        Enter the "fully qualified domain name" (or FQDN) used  for DNS lookups
        of your server (for example: www.example.com).  Browsers use this
        information to identify your Web site.  Some browsers will refuse to
        establish a secure connection  with your site if the server name does not
        match the  Domain Name in the certificate.  Please do not include  the
        protocol specifier "http://" or any port numbers or  path names.  Do not
        use wildcard characters such as * or ?,  and do not use an IP address.
        Example: www.example.com
        => Domain Name / Common Name []:www.yourdomain.com

        Enter the e-mail address of the administrator responsible for the
        certificate.
        Example: admin@example.com
        => Email address []: admin@yourdomain.com
       Summary of your Certificate Signing Request:

        Country: US
        State or Province: Massachusetts
        Locality: Boxborough
        Organization Name: Cisco
        Organizational Unit Name: Support
        Domain Name: www.yourdomain.com
        Email address: admin@yourdomain.com

        Is the above information correct? (y/n): y

        Your CSR is displayed below.
        To submit the CSR to a certifying authority (CA), like Verisign, cut and
        paste the following into the field provided in the CA's online request
        form. Remember to include the beginning and ending tags,
        -----BEGIN CERTIFICATE REQUEST-----" and
        -----END CERTIFICATE REQUEST-----"

        -----BEGIN CERTIFICATE REQUEST-----
        MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
        dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMQ4wDAYDVQQKEwVDaXNjbzEQMA4GA1UE
        CxMHU3VwcG9ydDEbMBkGA1UEAxMSd3d3LnlvdXJkb21haW4uY29tMSMwIQYJKoZI
        hvcNAQkBFhRhZG1pbkB5b3VyZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
        jQAwgYkCgYEAv5LUR/fp1XBHj6A6T7W5cyW3795Kudv8ff3nSAxrbcMA5nkWPUfI
        uLTUh/hDllgxXDc1dQNQlQFCfQ9CINswyuOzZZKbMVwdLvacfDnHO9SnY/np/8Y2
        WyttZz9butXzZqUrMwa4ogTjsuYSnLXMf2mGTq7f+ybLxEiROhyfIC0CAwEAAaAA
        MA0GCSqGSIb3DQEBBAUAA4GBAC3DxU3kjApdaPtz8S3cQMApj+0xrgv6/Utz+tMA
        iYYD09jGnsihV7+igni4TiEGtEoXFTisJOUjEC+bhmo206iJ4TUQUVJqCfzh/JNX
        OzLoapnbIh2DTZKVVcwywyzGplV3kTGkShp9DIRH494BE6mHLNLPyyCX2oB7sUgJ
        plal
        -----END CERTIFICATE REQUEST-----

        Would you like to save certificate request to a URL ? (y/n): n
        Would you like to self sign this certificate ? (y/n): n
        (config-ssl[sslone])#

Copy and paste the bolded section and provide this to the Certificate Authority (CA) of your choice. They will provide you with the resulting certificate. Most certificate authorities will allow you to request a test certificate.
 

Step 3

Once the certificate has been received, you can use the Privacy-Enhanced Mail (PEM) paste feature to upload the certificate to the SCA.

        config-ssl[sslone])# cert new_cert create
        (config-ssl-cert[new_cert])# pem-paste
        Paste Data, then press enter until prompt returns
        -----BEGIN CERTIFICATE-----
        MIICYDCCAgoCEAvjXPTFkpcaO3WR0Yy/zFswDQYJKoZIhvcNAQEEBQAwgakxFjAU
        BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
        cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
        RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
        IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAyMDQwMTAwMDAwMFoXDTAyMDQxNTIz
        NTk1OVoweTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzAR
        BgNVBAcUCkJveGJvcm91Z2gxDjAMBgNVBAoUBUNpc2NvMRAwDgYDVQQLFAdTdXBw
        b3J0MRswGQYDVQQDFBJ3d3cueW91cmRvbWFpbi5jb20wgZ8wDQYJKoZIhvcNAQEB
        BQADgY0AMIGJAoGBAL+S1Ef36dVwR4+gOk+1uXMlt+/eSrnb/H3950gMa23DAOZ5
        Fj1HyLi01If4Q5ZYMVw3NXUDUJUBQn0PQiDbMMrjs2WSmzFcHS72nHw5xzvUp2P5
        6f/GNlsrbWc/W7rV82alKzMGuKIE47LmEpy1zH9phk6u3/smy8RIkTocnyAtAgMB
        AAEwDQYJKoZIhvcNAQEEBQADQQCzH/6uH4YS/7mZjkfnGzuIlUgchCNjC6DQ5c94
        eh8O8CkAwcqF84lazyjBzrkss4qbSk8DFsb7gdss1QrCIwsH
        -----END CERTIFICATE-----
 

        (config-ssl-cert[new_cert])#

Step 4

Create your SCA sever rule.

        (config[sslone])# ssl
        (config-ssl[sslone])# server new_server create
        (config-ssl-server[mark])# ip address 192.168.1.1
        (config-ssl-server[mark])# remoteport 81
        (config-ssl-server[mark])# no transparent
        (config-ssl-server[mark])# key new_key
        (config-ssl-server[mark])# cert new_cert
        (config-ssl-server[mark])# exit
        %% No SecPolicy provided, using default!
        (config-ssl[sslone])# exit
        (config[sslone])# exit
        sslone# write mem

Note: You will get a warning message if the private key and certificate do not match. In this example, a warning was issued because no security policy was selected; the default was used.

Troubleshooting


Useful show commands:

  • show ssl key — This command provides information on the key and if it is valid.
  • show ssl cert — This command lists the contents of the certificate and list server rules that the certificate has been added to.
To find additional information on the certificate, you can use OpenSSL to view the certificate. OpenSSL will indicate if the certificate is in PKCS format.
OpenSSL> asn1parse -in d:/tmp/cert.pem

If PEM paste is not working, and you discover the certificate format is PCKS-7 or PKCS-12 format, you can use the import command on the SCA to import the certificate:

(config-ssl[sslone])# import pkcs12 tftp://10.1.1.101 new_cert.pem

Related Information


Updated: May 24, 2004
Document ID: 22400