Cisco SCA 11000 Series Secure Content Accelerators

How to Create a Certificate Signing Request on the CSS SCA

Document ID: 22400

Updated: May 24, 2004



          Components Used
          Before You Begin
          Creating a Certificate Signing Request Via Telnet on the SCA
          Step-by-Step Instructions
          Related Information


This document describes how to create a certificate signing request (CSR) on the Cisco Content Services Switch Secure Content Accelerator (CSS SCA) via telnet.

Components Used

  •     SCA running code or higher
  •     Telnet
  •     Certificate Authority

Before You Begin

 Make sure you know the fully qualified domain name used for your server or VIP address. The domain name clients use to connect to your site must match the domain name on your certificate.

Creating a Certificate Signing Request Via Telnet on the SCA

The SCA uses OpenSSL to create the certificate requests and private keys. OpenSSL an industry-accepted implementation, and is used in many other ssl devices, including Apache web servers. For more information on OpenSSL, refer to The OpenSSL Projectleaving

It is very important to backup your certificate and private keys. The certificate is useless without the private key. In the first step you will be shown how to create a private key on the SCA and have it exported to a tftp server. In the second step, you will be shown how to create a certificate signing request (CSR) using the private key you just created. Finally, you will be shown how to import the certificate your Certificate Authority (CA) created, based on your certificate signing request. You should also save the certificate that you receive from the Certificate Authority.

Step-by-Step Instructions

Step 1

The first step is to create the private key. For security purposes, make sure you encrypt the private key with a passphrase. You will be asked to enter a passphrase, and then to verify the passphrase by typing it in again.

This example creates a 1024 bits private key, DES encrypted using a passphrase, and write the key to a TFTP server with IP address

        sslone# config
       (config[sslone])# ssl
       (config-ssl[sslone])# key new_key create
        config-ssl-key[new_key])# genrsa bits 1024 encrypt des output tftp://
        Enter PEM pass phrase for key encryption:
        Verifying password - Enter PEM phrase for key encryption:
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-CBC,0FAFA1822C899B45

        -----END RSA PRIVATE KEY-----

        Writing RSA key to: tftp://
        Sent 958 bytes in 0.2 seconds [38320 bits/sec]

The private key will always be displayed and stored locally upon successful creation, even if it could not be copied to the TFTP server.

Step 2

Create the CSR. Issue the command gencsr key (specify the private key you just created). You will be prompted to enter this information:

  • Country
  • State or Province
  • Locality
  • Organization
  • Name
  • Organizational Unit Name
  • Domain Name
  • Email Address

        (config-ssl[sslone])# gencsr key new_key

        The following information will be incorporated into your CSR (Certificate
        signing request):  Country, State or Province, Locality, Organization
        Name, Organizational Unit Name, Domain Name, and Email Address).

        Enter the two-letter ISO abbreviation for your country (for example, US
        for the United States):
         Example: US
        => Country []: US

        Enter the name of the state or province where your organization's head
        office is located.  Please enter the full name (do not abbreviate).
         Example: California
        => State or Province []: Massachusetts

        Enter the name of the city where your organization's head office is
         Example: San Jose
        => Locality []: Boxborough

        Enter the name of the organization that owns the domain name. The
        organization name (corporation, limited partnership, university, or
        government agency) must be registered with some authority at the national,
        state, or city level. Use the legal name under which your organization is
        registered. Please do not abbreviate your organization's name and DO NOT
        use any of the following characters:
         > ~ ! @ # $ ^ * / \ ( ) ?.
         Example: Example Corporation
        => Organization Name []:Cisco Systems

        Enter the name of the department or group that will use the certificate.

         Example: IT Department
        => Organizational Unit Name []: Support

        Enter the "fully qualified domain name" (or FQDN) used  for DNS lookups
        of your server (for example:  Browsers use this
        information to identify your Web site.  Some browsers will refuse to
        establish a secure connection  with your site if the server name does not
        match the  Domain Name in the certificate.  Please do not include  the
        protocol specifier "http://" or any port numbers or  path names.  Do not
        use wildcard characters such as * or ?,  and do not use an IP address.
        => Domain Name / Common Name []

        Enter the e-mail address of the administrator responsible for the
        => Email address []:
       Summary of your Certificate Signing Request:

        Country: US
        State or Province: Massachusetts
        Locality: Boxborough
        Organization Name: Cisco
        Organizational Unit Name: Support
        Domain Name:
        Email address:

        Is the above information correct? (y/n): y

        Your CSR is displayed below.
        To submit the CSR to a certifying authority (CA), like Verisign, cut and
        paste the following into the field provided in the CA's online request
        form. Remember to include the beginning and ending tags,
        -----BEGIN CERTIFICATE REQUEST-----" and
        -----END CERTIFICATE REQUEST-----"


        Would you like to save certificate request to a URL ? (y/n): n
        Would you like to self sign this certificate ? (y/n): n

Copy and paste the bolded section and provide this to the Certificate Authority (CA) of your choice. They will provide you with the resulting certificate. Most certificate authorities will allow you to request a test certificate.

Step 3

Once the certificate has been received, you can use the Privacy-Enhanced Mail (PEM) paste feature to upload the certificate to the SCA.

        config-ssl[sslone])# cert new_cert create
        (config-ssl-cert[new_cert])# pem-paste
        Paste Data, then press enter until prompt returns
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----


Step 4

Create your SCA sever rule.

        (config[sslone])# ssl
        (config-ssl[sslone])# server new_server create
        (config-ssl-server[mark])# ip address
        (config-ssl-server[mark])# remoteport 81
        (config-ssl-server[mark])# no transparent
        (config-ssl-server[mark])# key new_key
        (config-ssl-server[mark])# cert new_cert
        (config-ssl-server[mark])# exit
        %% No SecPolicy provided, using default!
        (config-ssl[sslone])# exit
        (config[sslone])# exit
        sslone# write mem

Note: You will get a warning message if the private key and certificate do not match. In this example, a warning was issued because no security policy was selected; the default was used.


Useful show commands:

  • show ssl key — This command provides information on the key and if it is valid.
  • show ssl cert — This command lists the contents of the certificate and list server rules that the certificate has been added to.
To find additional information on the certificate, you can use OpenSSL to view the certificate. OpenSSL will indicate if the certificate is in PKCS format.
OpenSSL> asn1parse -in d:/tmp/cert.pem

If PEM paste is not working, and you discover the certificate format is PCKS-7 or PKCS-12 format, you can use the import command on the SCA to import the certificate:

(config-ssl[sslone])# import pkcs12 tftp:// new_cert.pem

Related Information

Updated: May 24, 2004
Document ID: 22400