This article will give an example on how to get a free SSL certificate and the way to install it on CMX. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Cisco recommends that you have knowledge of these topics:
- A domain name which can be resolved externally
- Basic linux skills
- Basic knowledge of PKI (Public Key Infrastracture)
The information in this document is based on these software and hardware versions:
- CMX 10.5
Prepare and backup
Web certificate is located in the following folder:
[root@cmxtry ssl]# openssl genrsa -out cmxtry.com.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
[root@cmxtry ssl]# ls
Generate a CSR (Certificate Sign requests) using the private you key generated in the previous step.
[root@cmxtry ssl]# openssl req -new -sha256 -key cmxtry.com.key -out cmxtry.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :DIEGEM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMXTRY
Organizational Unit Name (eg, section) :CMXTRY
Common Name (e.g. server FQDN or YOUR name) :cmxtry.com
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :Cisco123
An optional company name :CMXTRY
[root@cmxtry ssl]# ls
cmxtry.com.csr cmxtry.com.key oldcert
You paste the CSR in the window and select RedHat as software used to generate the CSR:
You have to validate the domain using either an e-mail address or other ways to validate the domain, such as DNS CNAME entry.
When you did complete the process of validation, you will be able to download a certificate from here:
When you download the certificate, you have to upload it to CMX box:
[ avitosin > ~/Desktop/cmxtry_com ] ls
[ avitosin > ~/Desktop/cmxtry_com ] scp ./* email@example.com:/home/cmxadmin
Warning: the ECDSA host key for 'cmxtry.com' differs from the key for the IP address '126.96.36.199'
Offending key for IP in /Users/avitosin/.ssh/known_hosts:8
Matching host key in /Users/avitosin/.ssh/known_hosts:10
Are you sure you want to continue connecting (yes/no)? yes
/etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
cmxtry_com.ca-bundle 100% 4103 4.0KB/s 00:00
cmxtry_com.crt 100% 2236 2.2KB/s 00:00
[ avitosin > ~/Desktop/cmxtry_com ]
Verify the certificates
Verify that the certificate was successfully copied to CMX:
[root@cmxtry ssl]# cd /home/cmxadmin/
[root@cmxtry cmxadmin]# ls