This document describes how to create a certificate signing request (CSR) on the Cisco Content Services Switch Secure Content Accelerator (CSS SCA) via telnet.
SCA running 220.127.116.11 code or higher
Before You Begin
Make sure you know the fully qualified domain name used for your server or VIP address. The domain name clients use to connect to your site must match the domain name on your certificate.
Creating a Certificate Signing Request Via Telnet on the SCA
The SCA uses OpenSSL to create the certificate requests and private keys. OpenSSL an industry-accepted implementation, and is used in many other ssl devices, including Apache web servers. For more information on OpenSSL, refer to
The OpenSSL Project.
It is very important to backup your certificate and private keys. The certificate is useless without the private key. In the first step you will be shown how to create a private key on the SCA and have it exported to a tftp server. In the second step, you will be shown how to create a certificate signing request (CSR) using the private key you just created. Finally, you will be shown how to import the certificate your Certificate Authority (CA) created, based on your certificate signing request. You should also save the certificate that you receive from the Certificate Authority.
The first step is to create the private key. For security purposes, make sure you encrypt the private key with a passphrase. You will be asked to enter a passphrase, and then to verify the passphrase by typing it in again.
This example creates a 1024 bits private key, DES encrypted using a passphrase, and write the key to a TFTP server with IP address 10.1.1.101.
sslone# config (config[sslone])# ssl (config-ssl[sslone])# key new_key create config-ssl-key[new_key])# genrsa bits 1024 encrypt des output tftp://10.1.1.101/new_key Enter PEM pass phrase for key encryption: Verifying password - Enter PEM phrase for key encryption: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,0FAFA1822C899B45
Writing RSA key to: tftp://10.1.1.101/new_key Sent 958 bytes in 0.2 seconds [38320 bits/sec] (config-ssl-key[new_key])#
The private key will always be displayed and stored locally upon successful creation, even if it could not be copied to the TFTP server.
Create the CSR. Issue the command gencsr key (specify the private key you just created). You will be prompted to enter this information:
State or Province
Organizational Unit Name
(config-ssl[sslone])# gencsr key new_key
The following information will be incorporated into your CSR (Certificate signing request): Country, State or Province, Locality, Organization Name, Organizational Unit Name, Domain Name, and Email Address).
Enter the two-letter ISO abbreviation for your country (for example, US for the United States): Example: US => Country : US
Enter the name of the state or province where your organization's head office is located. Please enter the full name (do not abbreviate). Example: California => State or Province : Massachusetts
Enter the name of the city where your organization's head office is located. Example: San Jose => Locality : Boxborough
Enter the name of the organization that owns the domain name. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which your organization is registered. Please do not abbreviate your organization's name and DO NOT use any of the following characters: > ~ ! @ # $ ^ * / \ ( ) ?. Example: Example Corporation => Organization Name :Cisco Systems
Enter the name of the department or group that will use the certificate.
Example: IT Department => Organizational Unit Name : Support
Enter the "fully qualified domain name" (or FQDN) used for DNS lookups of your server (for example: www.example.com). Browsers use this information to identify your Web site. Some browsers will refuse to establish a secure connection with your site if the server name does not match the Domain Name in the certificate. Please do not include the protocol specifier "http://" or any port numbers or path names. Do not use wildcard characters such as * or ?, and do not use an IP address. Example: www.example.com => Domain Name / Common Name :www.yourdomain.com
Enter the e-mail address of the administrator responsible for the certificate. Example: firstname.lastname@example.org => Email address : email@example.com Summary of your Certificate Signing Request:
Country: US State or Province: Massachusetts Locality: Boxborough Organization Name: Cisco Organizational Unit Name: Support Domain Name: www.yourdomain.com Email address: firstname.lastname@example.org
Is the above information correct? (y/n): y
Your CSR is displayed below. To submit the CSR to a certifying authority (CA), like Verisign, cut and paste the following into the field provided in the CA's online request form. Remember to include the beginning and ending tags, -----BEGIN CERTIFICATE REQUEST-----" and -----END CERTIFICATE REQUEST-----"
Would you like to save certificate request to a URL ? (y/n): n Would you like to self sign this certificate ? (y/n): n (config-ssl[sslone])#
Copy and paste the bolded section and provide this to the Certificate Authority (CA) of your choice. They will provide you with the resulting certificate. Most certificate authorities will allow you to request a test certificate.
Once the certificate has been received, you can use the Privacy-Enhanced Mail (PEM) paste feature to upload the certificate to the SCA.