How to Create a Certificate Signing Request on the CSS11500 [Cisco CSS 11500 Series Content Services Switches]

Document ID: 43700

Introduction
Before You Begin
      Conventions
      Prerequisites
      Components Used
Create A Certificate Signing Request on the CSS11500
      Step-by-Step Instructions
Verify
Troubleshoot
Related Information

Introduction

This document describes how to create and upload a Certificate Signing Request (CSR) on the CSS11500 series switch.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

You need the following information to create and upload the CSR:

Country Name (2 letter code)
State or Province (full name)
Locality Name (city) [SomeCity]
Organization Name (company name)
Organizational Unit Name (section) [Web Administration]
Common Name (your domain name) [www.acme.com]
Email address [webadmin@acme.com ]
CSS11500 series switch with Secure Socket Layer (SSL) module
WebNS 7.10 or higher
FTP or Secure FTP (SFTP) server
FTP record configured on the CSS

Components Used

The information in this document is based on the software and hardware versions below.

CSS11506
WebNS 7.20

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Create A Certificate Signing Request on the CSS11500

Step-by-Step Instructions

In this section, you are presented with the information to configure the features described in this document.

Create the public/private key pair. You need to specify number of bits, filename, and a password to protect the public/privite key pair.

CSS11506(config)# ssl genrsa rsa1024.pem 1024 "system"
Warning this operation could take a while 
and can cause your console to not respond 
while the operation is ongoing 

Do you want to continue?, [y/n]:y 
CSS11506(config)# 



!--- If you issue the show ssl files command, you will 
!--- see that the key pair has been created.
 

CSS11506(config)# show ssl files 
 File Name                       File Type File Size 
 ----------------                --------- ------------ 
  rsa1024.pem                     PEM        887

Associate the key.

CSS11506(config)# ssl associate rsakey test-ssl rsa1024.pem  


!--- test-ssl is the name of the association.


View Associations 
CSS11506(config)# show ssl associate 
 Certificate Name                File Name                       Used by List 
 ----------------                ---------                       ------------ 

 RSA Key Name                    File Name                       Used by List 
 ------------                    ---------                       ------------ 
 test-ssl                         rsa1024.pem                           no 

 DH Param Name                   File Name                       Used by List 
 -------------                   ---------                       ------------ 

 DSA Key Name                    File Name                       Used by List 
 ------------                    ---------                       ------------

Create the CSR.

CSS11506(config)# ssl gencsr test-ssl  



!--- test-ssl is the name of the association.

CSS11506(config)# ssl gencsr test-ssl 


!--- You will be asked to enter information 
!--- that will be incorporated into your certificate 
!--- request. What you are about to enter is 
!--- called a Distinguished Name or a DN. 
!--- For some fields, there will be a default value. 
!--- If you enter '.', the field will be left blank. 


Country Name (2 letter code) [US]US 
State or Province (full name) [SomeState]Massachusetts 
Locality Name (city) [SomeCity]Boxborough 
Organization Name (company name) [Acme Inc]Testing SSL 
Organizational Unit Name (section) [Web Administration]SSL Admin 
Common Name (your domain name) [www.acme.com]www.testingssl.com 
Email address [webadmin@acme.com ]webadmin@testingssl.com

Email the CSR to your Certificate Authority (CA).

Upload the certificate to the CSS. Save the the certificate that you receive from your CA as an ASCI file, and upload it to a FTP or SFTP server.

Copy the certificate to the CSS. SFTP is recommend, however, you can also use FTP.

CSS11506# copy ssl ftp ftpserver import sslcert.pem PEM "system"  


!--- sslcert.pem is the certificate file, and system is the password 
!--- used when the key pair was created. 

  
CSS11506# show ssl files 
 File Name                       File Type File Size 
 ----------------                --------- ------------ 
 rsa1024.pem                     PEM        887 
 sslcert.pem                     PEM        1210 ****new cert****

Associate the certificate.

 CSS11506(config)# ssl associate cert test-ssl sslcert.pem 



 !--- Verify the association.


 CSS11506(config)# show ssl associate 
 Certificate Name                File Name                       Used by List 
 ----------------                ---------                       ------------ 
 test-ssl                       sslcert.pem                           no 

 RSA Key Name                    File Name                       Used by List 
 ------------                   ---------                       ------------ 
 test-ssl                        rsa1024.pem                           no 

 DH Param Name                   File Name                       Used by List 
 -------------                   ---------                       ------------ 

 DSA Key Name                    File Name                       Used by List 
 ------------                    ---------                       ------------

Technical Support - Cisco Systems

Updated: Jan 31, 2006

Document ID: 43700

Hierarchical Navigation

Cisco CSS 11500 Series Content Services Switches