Document ID: 22400
Updated: May 24, 2004
Contents
IntroductionComponents Used
Before You Begin
Creating a Certificate Signing Request Via Telnet on the SCA
Step-by-Step Instructions
Troubleshooting
Related Information
Introduction
This document describes how to create a certificate signing request (CSR) on the Cisco Content Services Switch Secure Content Accelerator (CSS SCA) via telnet.Components Used
- SCA running 3.1.0.27 code or higher
- Telnet
- Certificate Authority
Before You Begin
Make sure you know the fully qualified domain name used for your server or VIP address. The domain name clients use to connect to your site must match the domain name on your certificate.Creating a Certificate Signing Request Via Telnet on the SCA
The SCA uses OpenSSL to create the certificate requests and private keys. OpenSSL an industry-accepted implementation, and is used in many other ssl devices, including Apache web servers. For more information on OpenSSL, refer to The OpenSSL Project.
It is very important to backup your certificate and private keys. The certificate is useless without the private key. In the first step you will be shown how to create a private key on the SCA and have it exported to a tftp server. In the second step, you will be shown how to create a certificate signing request (CSR) using the private key you just created. Finally, you will be shown how to import the certificate your Certificate Authority (CA) created, based on your certificate signing request. You should also save the certificate that you receive from the Certificate Authority.
Step-by-Step Instructions
Step 1The first step is to create the private key. For security purposes, make sure you encrypt the private key with a passphrase. You will be asked to enter a passphrase, and then to verify the passphrase by typing it in again.
This example creates a 1024 bits private key, DES
encrypted using a passphrase, and write the key to a TFTP
server with IP address 10.1.1.101.
sslone# config
(config[sslone])# ssl
(config-ssl[sslone])# key new_key
create
config-ssl-key[new_key])#
genrsa bits 1024 encrypt des output tftp://10.1.1.101/new_key
Enter PEM pass phrase for
key encryption:
Verifying password - Enter
PEM phrase for key encryption:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,0FAFA1822C899B45
tUqbGRi+MKH8+yixft/sD5zrGSlJ9l6o896tOBClSBMEZMTAT+xTR+qUpsBEe3EH
DVYtmWwasA7EpHm/AVEd65xoURZ+ZOJWx9suoplV5WjEqyOQVR7mrblLJ0Xr3e6j
ERt7XgTPy/BpPmTl0VBOJ+Zt1SMQ6xcMpnDxVY4BQ59tBappjwg1b/6i2yYBOkNe
NxzQjPjrQ/rgj+O6h9LWRGm2Xz0YJ7Q4u2+8QBP9S1ZSgy1FYlmLtbdnXB65Xfea
3rtwtMfVGDhHLhR0Js+e5wav5dv1BBwpuQN8bK+srJhxlTFqAQuoaJKRn8syrb4Q
jcafaqkxUvJlBCU/Ba7gLn5Xe7tZh0Np1hGprC6e6mnR1ygH1wYeQdTDJzctWcP2
B5dTqECjKR0gF6kSFrCHk5ZmTkXppqrDzasOl8dRVFa1CAg/OoVYhGI20hTQFeeC
2ichVypbpTMq+lU70ifY2HXmCGiCGu80pJjv9aLvW0k3Ty9LzwRYQFKEJZt9ZV1h
iqVDAF3rpx5Aad6Z5jsn7X0e+jQpwxHMoJOGVjgGriziuNWnX8XFpPBnAeaVVDhu
Op2HymfUJ0rfcbD1bZp9SxtNtbnWUUSqnJTl5/GX8b94rOvPJUzML1CxCh8h+P0n
0CAGAvG62a8HAqlhivKhWhgOl0gG4y0DjSp9zZyTFFbYw4fxaWQ0npKak0k4Gwqz
/juPjddubRwvnkOs5lyl0Ei2OrNPXIh+8r4hDvzmMy2dYBAgcVCFSnHcth++PPIX
VbK+5Z8wqA0CSTQW/2Z2dfDPLHJqX0w0oeAKAkzDF8t2bSohWDfI5A==
-----END RSA PRIVATE KEY-----
Writing RSA key to: tftp://10.1.1.101/new_key
Sent 958 bytes in 0.2 seconds [38320
bits/sec]
(config-ssl-key[new_key])#
The private key will always be displayed and stored locally upon successful
creation, even if it could not be copied to the TFTP server.
Step 2
Create the CSR. Issue the command gencsr key (specify the private key you just created). You will be prompted to enter this information:
- Country
- State or Province
- Locality
- Organization
- Name
- Organizational Unit Name
- Domain Name
- Email Address
(config-ssl[sslone])# gencsr key new_key
The following information
will be incorporated into your CSR (Certificate
signing request):
Country, State or Province, Locality, Organization
Name, Organizational Unit
Name, Domain Name, and Email Address).
Enter the two-letter ISO
abbreviation for your country (for example, US
for the United States):
Example: US
=> Country []: US
Enter the name of the state
or province where your organization's head
office is located.
Please enter the full name (do not abbreviate).
Example: California
=> State or Province []:
Massachusetts
Enter the name of the city
where your organization's head office is
located.
Example: San Jose
=> Locality []: Boxborough
Enter the name of the organization
that owns the domain name. The
organization name (corporation,
limited partnership, university, or
government agency) must
be registered with some authority at the national,
state, or city level. Use
the legal name under which your organization is
registered. Please do not
abbreviate your organization's name and DO NOT
use any of the following
characters:
> ~ ! @ # $ ^ * /
\ ( ) ?.
Example: Example Corporation
=> Organization Name []:Cisco
Systems
Enter the name of the department or group that will use the certificate.
Example: IT Department
=> Organizational Unit Name
[]: Support
Enter the "fully qualified
domain name" (or FQDN) used for DNS lookups
of your server (for example:
www.example.com). Browsers use this
information to identify
your Web site. Some browsers will refuse to
establish a secure connection
with your site if the server name does not
match the Domain Name
in the certificate. Please do not include the
protocol specifier "http://" or any
port numbers or path names. Do not
use wildcard characters
such as * or ?, and do not use an IP address.
Example: www.example.com
=> Domain Name / Common
Name []:www.yourdomain.com
Enter the e-mail address
of the administrator responsible for the
certificate.
Example: admin@example.com
=> Email address []: admin@yourdomain.com
Summary of your Certificate Signing
Request:
Country: US
State or Province: Massachusetts
Locality: Boxborough
Organization Name: Cisco
Organizational Unit Name:
Support
Domain Name: www.yourdomain.com
Email address: admin@yourdomain.com
Is the above information correct? (y/n): y
Your CSR is displayed below.
To submit the CSR to a certifying
authority (CA), like Verisign, cut and
paste the following into
the field provided in the CA's online request
form. Remember to include
the beginning and ending tags,
-----BEGIN CERTIFICATE REQUEST-----"
and
-----END CERTIFICATE REQUEST-----"
-----BEGIN CERTIFICATE
REQUEST-----
MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
dHRzMRMwEQYDVQQHEwpCb3hib3JvdWdoMQ4wDAYDVQQKEwVDaXNjbzEQMA4GA1UE
CxMHU3VwcG9ydDEbMBkGA1UEAxMSd3d3LnlvdXJkb21haW4uY29tMSMwIQYJKoZI
hvcNAQkBFhRhZG1pbkB5b3VyZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAv5LUR/fp1XBHj6A6T7W5cyW3795Kudv8ff3nSAxrbcMA5nkWPUfI
uLTUh/hDllgxXDc1dQNQlQFCfQ9CINswyuOzZZKbMVwdLvacfDnHO9SnY/np/8Y2
WyttZz9butXzZqUrMwa4ogTjsuYSnLXMf2mGTq7f+ybLxEiROhyfIC0CAwEAAaAA
MA0GCSqGSIb3DQEBBAUAA4GBAC3DxU3kjApdaPtz8S3cQMApj+0xrgv6/Utz+tMA
iYYD09jGnsihV7+igni4TiEGtEoXFTisJOUjEC+bhmo206iJ4TUQUVJqCfzh/JNX
OzLoapnbIh2DTZKVVcwywyzGplV3kTGkShp9DIRH494BE6mHLNLPyyCX2oB7sUgJ
plal
-----END CERTIFICATE
REQUEST-----
Would you like to save certificate
request to a URL ? (y/n): n
Would you like to self sign
this certificate ? (y/n): n
(config-ssl[sslone])#
Copy and paste the bolded section and provide this to the Certificate Authority
(CA) of your choice. They will provide you with the resulting certificate. Most
certificate authorities will allow you to request a test certificate.
Step 3
Once the certificate has been received, you can use the Privacy-Enhanced Mail (PEM) paste feature to upload the certificate to the SCA.
config-ssl[sslone])# cert
new_cert create
(config-ssl-cert[new_cert])#
pem-paste
Paste Data, then press enter
until prompt returns
-----BEGIN CERTIFICATE-----
MIICYDCCAgoCEAvjXPTFkpcaO3WR0Yy/zFswDQYJKoZIhvcNAQEEBQAwgakxFjAU
BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAyMDQwMTAwMDAwMFoXDTAyMDQxNTIz
NTk1OVoweTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzAR
BgNVBAcUCkJveGJvcm91Z2gxDjAMBgNVBAoUBUNpc2NvMRAwDgYDVQQLFAdTdXBw
b3J0MRswGQYDVQQDFBJ3d3cueW91cmRvbWFpbi5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAL+S1Ef36dVwR4+gOk+1uXMlt+/eSrnb/H3950gMa23DAOZ5
Fj1HyLi01If4Q5ZYMVw3NXUDUJUBQn0PQiDbMMrjs2WSmzFcHS72nHw5xzvUp2P5
6f/GNlsrbWc/W7rV82alKzMGuKIE47LmEpy1zH9phk6u3/smy8RIkTocnyAtAgMB
AAEwDQYJKoZIhvcNAQEEBQADQQCzH/6uH4YS/7mZjkfnGzuIlUgchCNjC6DQ5c94
eh8O8CkAwcqF84lazyjBzrkss4qbSk8DFsb7gdss1QrCIwsH
-----END CERTIFICATE-----
(config-ssl-cert[new_cert])#
Step 4
Create your SCA sever rule.
(config[sslone])# ssl
(config-ssl[sslone])#
server new_server create
(config-ssl-server[mark])#
ip address 192.168.1.1
(config-ssl-server[mark])#
remoteport 81
(config-ssl-server[mark])#
no transparent
(config-ssl-server[mark])#
key new_key
(config-ssl-server[mark])#
cert new_cert
(config-ssl-server[mark])#
exit
%% No SecPolicy provided,
using default!
(config-ssl[sslone])#
exit
(config[sslone])# exit
sslone# write mem
Note: You will get a warning message if the private key and certificate do not match. In this example, a warning was issued because no security policy was selected; the default was used.
Troubleshooting
Useful show commands:
- show ssl key — This command provides information on the key and if it is valid.
- show ssl cert — This command lists the contents of the certificate and list server rules that the certificate has been added to.
OpenSSL> asn1parse -in d:/tmp/cert.pem
If PEM paste is not working, and you discover the certificate format is PCKS-7 or PKCS-12 format, you can use the import command on the SCA to import the certificate:
(config-ssl[sslone])# import pkcs12 tftp://10.1.1.101 new_cert.pem
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.