Cisco Expressway Certificate Creation and Use Deployment Guide (X14.3)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: June 17, 2023

Chapter: Enable AD CS to Issue Client and Server Certificates

Enable AD CS to Issue Client and Server Certificates

Enable AD CS to Issue Client and Server Certificates

Note

The CA component of Microsoft Active Directory Certificate Services (AD CS) must be able to issue a certificate that can be used for authentication of the Expressway as client or server.

AD CS in Windows Server 2008 Standard R2 (and later) can issue these types of certificates, if you create a certificate template for them. Earlier versions of Windows Server Standard Edition are not suitable.

The default "Web Server" certificate template in AD CS creates a certificate for Server Authentication. The server certificate for the Expressway also needs Client Authentication if you want to configure a neighbor or traversal zone with mutual authentication (where TLS verify mode is enabled).

To set up a certificate template with both Server and Client authentication:

In Windows, launch Server Manager (Start > Administrative Tools > Server Manager).

(Server Manager is a feature included with server editions of Windows.)
Expand the Server Manager navigation tree to Roles > Active Directory Certificate Services > Certificate Templates (<domain>).
Right-click on Web Server and select Duplicate Template.
Select Windows Server 2003 Enterprise and click OK.
On the General tab, enter the Template display name and Template name, for example Web client and server and Webclientandserver.
On the Extensions tab, select Application Policies and click Edit.
Add Client Authentication to the set of application policies:
1. Click Add
2. Select Client Authentication and click OK
3. Click OK
Click OK to complete the addition of the new template.
Add the new template to the Certificate Authority:
1. Go to Roles > Active Directory Certificate Services > <your certificate authority>.
2. Right-click Certificate Templates and select New > Certificate Template to Issue
3. Select your new Web client and server template and click OK.