The objective of this document is to show you how to generate
a Certificate Signing Request (CSR) as well as importing and exporting
certificates on the RV160 and RV260 Series Routers.
Digital Certificates are important in the communication
process. It provides digital identification for authentication. A digital
certificate includes information that identifies a device or user, such as the
name, serial number, company, department, or IP address.
Certificate Authorities (CA) are trusted authorities that
“sign” certificates to verify their authenticity, which guarantees the identity
of the device or user. It ensures that the certificate holder is really who
they claim to be. Without a trusted signed certificate, data may be encrypted,
but the party you are communicating with may not be the one whom you think. CA
uses Public Key Infrastructure (PKI) when issuing digital certificates, which
uses public key or private key encryption to ensure security. CAs are
responsible for managing certificate requests and issuing digital certificates.
Some examples of CA are: IdenTrust, Comodo, GoDaddy, GlobalSign, GeoTrust,
Verisign and many more.
Certificates are used for Secure Socket Layer (SSL), Transport
Layer Security (TLS), Datagram TLS (DTLS) connections, such as Hypertext
Transfer Protocol (HTTPS) and Secure Lightweight Directory Access Protocol
Table of Contents
Through this article, you will:
Step 1. Log in to the web configuration page.
Step 2. Navigate to Administration
Step 3. In the Certificate
page, click on Generate CSR/Certificate…
Step 4. Select the type of certificate to generate from one
of the following options in the drop-down list.
Certificate – This is a Secure Socket Layer (SSL) certificate which
is signed by its own creator. This certificate is less trusted, as it cannot be
cancelled if the private key is compromised somehow by an attacker. You must
provide the valid duration in days.
– Select this certificate type to make your router act like an internal
certificate authority and issue certificates. In a security standpoint, it is
similar to a self-signed certificate. This can be used for OpenVPN.
Signing Request – This is a Public Key Infrastructure (PKI) which is
sent to the certificate authority to apply for a digital identity certificate.
It is more secure than self-signed as the private key is kept secret. This
option is recommended.
Signed by CA Certificate – Select this certificate type and provide
relevant details to get the certificate signed by your internal certificate
In this example, we will be selecting Certificate Signing Request.
Step 5. Enter the Certificate Name. In this example, we will
be entering CertificateTest.
Step 6. In the Subject
Alternative Name field,
select one of the following: IP Address,
FQDN (Fully Qualified Domain Name), or
Email and then enter the
appropriate name from what you have selected. This field allows you to specify
additional host names.
In this example, we will be selecting FQDN and entering ciscoesupport.com.
Step 7. Select a country
from the Country Name (C) drop-down list.
Step 8. Enter a state
or province name in the State or Province Name field.
Step 9. In the Locality
Name, enter a city
Step 10. Enter the name of the organization in the Organization
Step 11. Enter the name of the organization unit (i.e Training, Support, etc.).
In this example, we will be entering eSupport as our organization unit name.
Step 12. Enter a common name. It is the FQDN of the web
server that will be receiving this certificate.
In this example, ciscosmbsupport.com
was used as the common name.
Step 13. Enter an email address.
Step 14. Select the Key Encryption Length from the drop-down
menu. The options are: 512, 1024, or
2048. The larger the key size, the
more secure the certificate. The larger the key size, the greater the
Best Practice: It is recommended
to choose the highest key encryption length – enabling tougher encryption.
Step 15. Click Generate.
Step 16. An Information
popup will appear with a “Generate certificate successfully!” message. Click OK to continue.
Step 17. Export the CSR from the Certificate Table.
Step 18. An Export
Certificate window appears. Select PC
for the Export to and then click Export.
Step 19. Another window should appear asking whether to open
or save the file.
In this example, we will be selecting Save File and then click OK.
Step 20. Find the location of where the .pem file was saved. Right-click the .pem file and open it with
your favorite text editor.
In this example, we will be opening the .pem file with
Note: Feel free to open it
Step 21. Ensure that the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- is on its
Note: Some parts of the
certificate were blurred out.
Step 22. When you have your CSR, you would need to go to your
hosting services or a certificate authority site (I.e. GoDaddy, Verisign, etc.)
and request a certificate. Once you have submitted a request, it will
communicate with the certificate server to make sure there isn’t any reason not
to issue the certificate.
Note: Contact the CA or
hosting site support if you don’t know where the certificate request is on
Step 23. Download the certificate once it is completed. It
should be either a .cer or .crt file. In this example, we were
provided with both files.
Step 24. Go back to the Certificate
page in your router and import the certificate file by clicking the arrow pointing to the device icon.
Step 25. In the Certificate
Name field, enter the certificate
name. It can’t be the same name as the certificate signing request.
In the Upload Certificate file section,
select import from PC and click Browse… to upload your certificate file.
Step 26. A File Upload
window appears. Navigate to the location of where your certificate file is. Select
the certificate file that you want
to upload and click Open. In this
example, CertificateTest.cer was
Step 27. Click the Upload
button to start uploading your certificate to the router.
Note: If you get an error
where you can’t upload your .cer file, it might be because your router requires
the certificate to be in a pem encoding. You would need to convert your der encoding
(.cer file extension), to a pem encoding (.crt file extension).
Step 28. If the import was successful, an information window should appear letting
you know that it was successful. Click OK to
Step 29. Your certificate should be successfully updated. You
should be able to see who your certificate was signed by. In this example, we
can see that our certificate was signed by CiscoTest-DC1-CA.
To make the certificate as our primary certificate, select the certificate by
using the radio button on the left side and click Select as Primary Certificate… button.
Note: Changing the primary
certificate might bring you back to a warning page. If you are using Firefox
and it comes up as a gray blank page, you would need to adjust some
configuration on your Firefox. This document on Mozilla wiki gives some
explanation about it: CA/AddRootToFirefox.
To be able to see the warning page again, follow these steps that
was found in Mozilla community support page.
Step 30. In the Firefox warning page, click Advanced… and then Accept the Risk and Continue to proceed
back into the router.
Note: These warnings
screen vary browser to browser but perform the same functions.
Step 31. In the Certificate
Table, you should see that the NETCONF,
WebServer, and RESTCONF
has swapped to your new certificate instead of using the Default certificate.
You should now have successfully installed a certificate onto
Step 1. If you have navigated away from the Certificate page, navigate to Administration > Certificate.
Step 2. In the Certificate
Table, click the Details
icon located under the Details section.
Step 3. The Certificate
Detail page appears. You should be able to see all the information
about your certificate.
Step 4. Click the lock
icon located on the left side of the Uniform Resource Locator (URL) bar.
Note: The following steps
are used in a Firefox browser.
Step 5. A drop-down list of choices appears. Click the Arrow icon next to the Connection field.
Step 6. Click More
Step 7. In the Page Info
window, you should be able to see a brief information about your certificate
under the Website identity section.
Ensure that you are in the Security tab
and then click View Certificate to
see more information about your certificate.
Step 8. The Certificate
Viewer page should appear. You should be able to see all the
information about your certificate, period of validity, fingerprints, and who
it was issued by.
Note: Since this
certificate was issued by our test certificate server, the issuer is unknown.
To download your certificate to import it on another router,
follow the steps below.
Step 1. In the Certificate
page, click the export icon
next to the certificate that you want to export.
Step 2. An Export
Certificate appears. Select a format to export the certificate. The
– Public Key Cryptography Standards (PKCS) #12 is an exported certificate that
comes in a .p12 extension. A password will be required in order to encrypt the
file to protect it as it is exported, imported, and deleted.
Privacy Enhanced Mail (PEM) is often used for web servers for their ability to
be easily translated into readable data by using a simple text editor such as
Select Export as PKCS#12
format and enter a password
and confirm password. Then select PC as the Export
to: field. Click Export
to start exporting the certificate to your computer.
Note: Remember this
password because you will be using it when importing it to a router.
Step 3. A window will appear asking what you should do with
this file. In this example, we will be selecting Save File and then click OK.
Step 4. The file should save to your default save location.
In our example, the file was saved to our Downloads folder
on our computer.
Step 1. In the Certificate
page, click the Import
Step 2. Select the type
of certificate to import from the Type
drop-down list under Import Certificate
section. The options are defined as:
CA Certificate –
A certificate that is certified by a trusted third-party authority that has
confirmed that the information contained in the certificate is accurate.
Certificate – A certificate generated on the router.
PKCS#12 Encoded File
– Public Key Cryptography Standards (PKCS) #12 is an exported certificate that
comes in a .p12 extension.
In this example, PKCS#12
Encoded File was selected as the type. Enter a name for the certificate and then enter the
password that was used.
Step 3. Under the Upload
Certificate file section, select either Import from PC or Import
from USB. In this example, Import
from PC was selected. Click Browse…
to choose a file to upload.
Step 4. In the File Upload
window, navigate to the location of where the PKCS#12 Encoded File (.p12 file
extension) is located. Select the .p12
file and then click Open.
Step 5. Click Upload
to start uploading the certificate.
Step 6. An Information window
will appear letting you know that your certificate was imported successfully.
Click OK to continue.
Step 7. You should see that your certificate was uploaded.
You should have successfully learned how to generate a CSR,
import, and download a certificate on the RV160 and RV260 series router.