Administration Guide for Cisco Digital Media Suite 5.4.x

Manage Digital Certificates

 You can manage the digital certificates for a DMM appliance from its local instance of Appliance Administration Interface (AAI). Furthermore:

•You can import multiple CA chain certificates simultaneously.

–Inside a single *.ZIP archive (CSCth65646).

–Inside a single certificate file (CSCti11768).

However, we do not support these methods for the import of identity certificates. All identity certificates must remain separate during import.

•You can import a certificate that includes an extra carriage return (CSCth53389).

•You can configure a Cisco DMS appliance to notify you daily that an imported CA certificate or identity certificate will expire soon. Such notifications begin 10 days before the actual expiration date. To access this feature in the web-based user interface for DMM 5.4.x, go to Administration > Alerts > Notification Rules > Certificate is about to expire (CSCth18904).

•We support both the P7B and PEM certificate format.

•Concepts

•Procedures

•Reference

Concepts

•Glossary

•Restrictions

•Workflows for Certificate Management

Glossary

Timesaver Go to terms that start with...   [  A  |  C  |  D  |  K  |  P  |  S  |  X  ].

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICrTCCAZUCAQAwaDEXMBUGA1UEAxMOZHN5cy5jaXNjby5jb20xDzANBgNVBAsTBmp5Z2podjEO

MAwGA1UEChMFaGd1eWcxDzANBgNVBAcTBnV5dHlnajEOMAwGA1UECBMFbWhoanYxCzAJBgNVBAYT

AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlz+sEkBbIoXTiE13O28FX558enM0

6tVdnNlWmySbtKulYJ+xvHlsdzbCLOPYJhOvr1JJIxaNjf2dT1fdQp4Qd1U/lk5+v9Nmqtlr9Fxl

bUkxkCaYr6H4RYrmqi0+YpLyUgMXqoQ+vFRDdKUGHD5lxQK9dggXvdJQNgylGawXkqG8WepC3XwK

Zyl9CS2S4CbnLs6yHcz86/VE1X4+DqnS3yvfko+Yyg/yUe151Hcwp97C0KtFrZnQcnIDYU4rEaV+

nqKWc52cQ0kuoJjJlzNSlVUGLGA+yPf+fz+0K5liqA6HnE22yA7SWlskcR668JCR9tjqyWnIC+yu

Cd13HUfSpwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAVj0f6B6lmtVEvCaUxKAI7DDgFjBJhv

BRJMZA+3BVD6OOX8T2J8druEb18bloEX989f8l124KceO8Y037/a4RPdxhXM3eeVYTMnz4QcbI6G

MU58jdHgRM1pxmYweixNTmzFTLc3uhp8JHWk286pHOMNHX2OR+cL+Cbj/mYRnmf4hg4LD0oCTS9f

pVEDgmiOpZ/go9OfAZ4nu1SwnqCaNpV+k/hM2RnlAqtaQDR89B4K18IF6odnjc9TL0kXUrsK79BD

Qp1bZQS+MElgnEqHpFjzvaopwXnZSv4CFHi6IwN2HPALY24Bo3XGW85j71HYPbwoVnZtcqdN56X6

HM0lto8=

-----END NEW CERTIFICATE REQUEST-----

D	Return to Top
DER	A certificate encoding format that we DO NOT SUPPORT in any Cisco DMS release. Instead, you can use either of our supported formats: PEM or P7B .
digital certificate	Digital representation of an entity (human or otherwise), as defined in International Organization for Standardization (ISO) standard X.509. A certificate is normally issued by a CA on behalf of an entity. Common fields within a certificate include distinguished names (DN) for the entity and CA, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority , so that a recipient can verify certificate legitima cy.
DN	distinguished name. A set of attributes that help a CA to authenticate an entity for SSL.

P	Return to Top
P7B	An implementation of base64-encoded ASCII in X-509, used to protect identity certificates and CA certificates. P7B certificates must NOT use binary (DER) encoding. Instead, use Base64 (ASCII) encoding.
PEM	privacy enhanced email. An implementation of base64 -encod ed ASCII in X-509, used to protect identity certificates and CA certificates.
private key	A cryptographic value to decrypt messages and digital signatures upon receipt by one authenticated entity from another. Each private key is unique and confidential to one entity. As one half of an asymmetric key pair, each private key is bound to its opposite half, a public key .
public key	A cryptographic value to encrypt messages and digital signatures for delivery from one authenticated entity to another. Each public key is verifiably unique to one entity, which can reveal it widely without compromising the private key. As one half of an asymmetric key pair, each public key is bound to its opposite half, a private key .

Restrictions

•Encoding

•Subject CN Elements

•Concatenation

Encoding

We do not support DER encoding. Instead, you can use either of our supported formats: PEM or P7B.

Related Topics

•Verify If Your Certificate Format is PEM

Subject CN Elements

Caution   ·    Do not use any wildcards (*) in the common name (CN) element of a certificate's subject. Certificate import fails
        when a wildcard is present. For example, we would reject a certificate with * .example.com as its subject.

Concatenation

Caution Do not combine multiple identity certificates together in one file that you will import to Cisco DMS. Import will fail for merged identity certificates.

Workflows for Certificate Management

You are most likely to use AAI certificate management features in the context of a workflow.

•Workflow A — Obtain and Install Provider-signed Certificates

•Workflow B — Your Certificates Expire or You Do Not Have Any Certificates

•Workflow C — Back Up and Restore Certificates

Procedures

•Generate and Submit Certificate Signing Requests (CSR)

•Verify If Your Certificate Format is PEM

•Import (Install) Provider-signed Certificates

•Generate Self-signed Certificates

•View Identity Certificates

•View a Certificate Chain to Verify its Certificates

•Export a Keystore to Back It Up

•Import a Keystore to Restore It from a Backup

Generate and Submit Certificate Signing Requests (CSR)

Workflow Context

This topic is part of Workflow A.

Before You Begin

•Contact a certification authority to learn about its process to receive a request. Many CAs will expect to receive your request through their FTP or SFTP server. Although you can use any CA, these four are among the best known.

–VeriSign — www.verisign.com

–GoDaddy — www.godaddy.com

–Comodo — www.comodo.com

–Network Solutions — www.networksolutions.com

•Log in to AAI as admin.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > MANAGE_SIGNED_CERTS > GENERATE_CSR.

Step 2 Enter values in the fields, as illustrated.

Note Do not use any of these characters.
, + = " " ' ` < > # ;

a. Use the Department field to enter the name for your organizational unit — such as Finance Ministry, Taiwan Office, College of Engineering, or Publications Department. Then, press the Down () key.

b. Use the Organization field to enter the full legal name for your entire organization, as it is known to your national government or intergovernmental authority — such as Cisco Systems, Cambridge University, or Médecins Sans Frontières. Then, press the Down () key.

c. Use the Location field to enter the full and officially designated place name of your city, town, township, village, hamlet, civil parish, or settlement — such as Madrid or Tokyo. Then, press the Down () key.

d. Use the State field to enter the full name of your state, province, commonwealth, territory, republic, periphery, dependency, or protectorate — such as Montserrat, California, Tamil Nadu, Chechnya, São Paulo, or Crete. Then, press the Down () key.

e. Use the Country field to enter the 2-character country code, as managed by the Internet Assigned Names Agency (IANA).

•Even if this code is not part of your Internet domain name, it is a necessary attribute of your digital certificate.

•Even if this code is part of your Internet domain name, you must not prefix it here with a period.

Note Your IANA country code might differ from all country name abbreviations that you know. The "Internet Assigned Names Agency (IANA) Country Codes" section directs you to your country code.

f. Press the Down () key.

Note The "Months Before Expiration" field is not useful in this procedure. You can safely ignore it.

Step 3 Choose OK.

Step 4 Use this checklist to prequalify a CA.

	Does the CA use PEM or P7B, as appropriate? We require certificates that use PEM or P7B encoding. Do not use DER.
	Does the CA isolate each identity certificate? We require that each imported identity certificate has its own, standalone file.

Step 5 After you choose a CA, enter values that it provides to you, which identify its server specifically and you specifically. Then, choose OK.

OR

When your CA does not use an FTP or SFTP server to receive CSRs, enter values to identify a server that you control. Later, you can retrieve your encrypted CSR for delivery to your CA through its alternative process. For example, you might paste your CSR ciphertext into a form on the CA website.

Note Your CA might ask you to specify what server platform — such as Apache or Microsoft Internet Application Server (IIS) — will use your new certificate. You must choose Apache. Otherwise, your new certificate is not encoded correctly for Cisco DMS products to use it.

Step 6 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to check whether your digital certificates use the correct format?
Go to the "Verify If Your Certificate Format is PEM" section.

•OPTIONAL — Would you like to install signed digital certificates that you received from a CA?
Go to the "Import (Install) Provider-signed Certificates" section.

Verify If Your Certificate Format is PEM

You can use an ordinary text editor, such as Notepad on Windows or TextEdit on Mac, to confirm quickly if your certificates use PEM encoding.

Procedure

Step 1 Start your text editor.

Step 2 Use its Open command to load your unaltered certificate file for viewing.

Step 3 Examine the certificate.

•Does its first line say exactly -----BEGIN CERTIFICATE----- and nothing else?

•Does its last line say exactly -----END CERTIFICATE----- and nothing else?

When an unaltered certificate meets these requirements, it is encoded correctly for use with this release. You can import it.

Note Do not merely add the BEGIN and END statements to a certificate file that lacks them. Their presence does not — by itself — change how a certificate is encoded.

Step 4 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to install signed digital certificates that you received from a CA?
Go to the "Import (Install) Provider-signed Certificates" section.

Import (Install) Provider-signed Certificates

Caution W hen you import certificates, they overwrite all others.

Workflow Context

This topic is part of Workflow A.

Before You Begin

•Request and obtain a digital certificate from a trusted CA.

•Log in to AAI as admin.

•Consider certificate restrictions for:

–Expiration

–Encoding

–Carriage Returns

–Subject CN Elements

–Concatenation

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > MANAGE_SIGNED_CERTS > IMPORT_CERTIFICATE.

Step 2 Choose Yes at the prompt to overwrite your active certificates with their replacements.

Step 3 Enter information about the FTP or SFTP server where you store your digital certificates.

a. Use the first field to enter a routable IP address or DNS-resolvable FQDN for the server.

b. Press the Down () key.

c. Use the second field to enter a username that has sufficient permissions to read your certificates from the server.

d. Choose OK.

Step 4 Enter your password for the FTP or SFTP server, and then choose OK.

Step 5 Enter absolute file paths, as prompted.

a. Use the first field to specify the path to one or more PEM files. If you will specify more than one file, comma-separate the filenames.

Note Do not specify a ZIP archive that contains your PEM files. If you do, an error message will state that the certificate chain is damaged and at least one of your certificates is not formatted correctly.

b. Press the Down () key.

c. Use the second field to specify the path to one or more CAchain files.

d. Choose OK.

Note An error message might state that AAI could not retrieve any CAchain files from the remote server. If so, several additional messages might load in sequence. In this case, you must choose OK after each message to dismiss it. For example, a sequence of messages might say:

•Failed to get file usage: from remote server.

•Failed to get file tokenize from remote server.

•Failed to get file [separator] from remote server.

•Failed to get file [string_to_tokneize] from remote server.

•1 MISSING_CA_CERTIFICATE

If access failed after AAI exceeded that maximum number of retries, please check that the server is running and reachable, and that you entered both paths correctly.

Step 6 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to verify any of your digital certificates? Go to the "View Identity Certificates" section.

Related Topics

•Generate and Submit Certificate Signing Requests (CSR)

Generate Self-signed Certificates

Workflow Context

This topic is part of Workflow B.

Before You Begin

•Log in to AAI as admin.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > MANAGE_SELF_SIGNED_CERTS > GENERATE_NEW_CERT.

Step 2 Enter values in the fields, as illustrated.

Note Do not use any of these characters.
, + = " " ' ` < > # ;

a. Use the Department field to enter the name for your organizational unit — such as Finance Ministry, Taiwan Office, College of Engineering, or Publications Department. Then, press the Down () key.

b. Use the Organization field to enter the full legal name for your entire organization, as it is known to your national government or intergovernmental authority — such as Cisco Systems, Cambridge University, or Médecins Sans Frontières. Then, press the Down () key.

c. Use the Location field to enter the full and officially designated place name of your city, town, township, village, hamlet, civil parish, or settlement — such as Madrid or Tokyo. Then, press the Down () key.

d. Use the State field to enter the full name of your state, province, commonwealth, territory, republic, periphery, dependency, or protectorate — such as Montserrat, California, Tamil Nadu, Chechnya, São Paulo, or Crete. Then, press the Down () key.

e. Use the Country field to enter the 2-character country code, as managed by the Internet Assigned Names Agency (IANA).

•Even if this code is not part of your Internet domain name, it is a necessary attribute of your digital certificate.

•Even if this code is part of your Internet domain name, you must not prefix it here with a period.

Note Your IANA country code might differ from all country name abbreviations that you know. The "Internet Assigned Names Agency (IANA) Country Codes" section directs you to your country code.

f. Press the Down () key.

g. Use the Months Before Expiration field to count the months until your digital certificate should expire.

•Briefer durations improve security at the cost of convenience.

•Longer durations improve convenience at the cost of security.

•Permitted values range from 1 to 999.

Step 3 Choose OK.

Step 4 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to verify any of your digital certificates? Go to the "View Identity Certificates" section.

View Identity Certificates

Workflow Context

This topic is not part of any workflow.

Before You Begin

•Log in to AAI as admin.

•Obtain and install certificates.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > VIEW_CERTIFICATE.

Step 2 Examine the certificate.

Step 3 Choose EXIT when you are done.

Step 4 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to back up your digital certificates? Go to the "Export a Keystore to Back It Up" section.

Related Topics

•Generate and Submit Certificate Signing Requests (CSR)

•Import (Install) Provider-signed Certificates

•Generate Self-signed Certificates

View a Certificate Chain to Verify its Certificates

Workflow Context

This topic is part of Workflow A, Workflow B, and Workflow C.

Before You Begin

•Log in to AAI as admin.

•Obtain and install certificates.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > VIEW_CERT_CHAIN.

Step 2 Examine the certificate chain.

Step 3 Choose EXIT when you are done.

Step 4 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to back up your digital certificates? Go to the "Export a Keystore to Back It Up" section.

Related Topics

•Generate and Submit Certificate Signing Requests (CSR)

•Import (Install) Provider-signed Certificates

•Generate Self-signed Certificates

Export a Keystore to Back It Up

Your certificates are included whenever you back up your appliance from its local instance of AAI.

Workflow Context

This topic is part of Workflow A and Workflow C.

Before You Begin

•Log in to AAI as admin.

•Obtain and install certificates.

•Delete any old keystore *.DAT file from your FTP or SFTP server before you export a new one.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > EXPORT_KEYSTORE.

Step 2 Enter the passphrase from which your private key was derived.

Step 3 Press Enter.

Step 4 Use the first field to enter a routable IP address or DNS-resolvable FQDN for the FTP or SFTP server where you will transfer an exported copy of your digital certificates.

Step 5 Press the Down () key.

Step 6 Use the second field to enter a username that has read-write permissions on the server that you specified. Then, press Enter.

Step 7 Enter the password that authenticates the username. Then, press Enter.

Step 8 Enter the full pathname where to save your keystore file on the remote server. Then, press Enter.

Step 9 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to restore certificates from a backup? Go to the "Import a Keystore to Restore It from a Backup" section.

Related Topics

•Generate and Submit Certificate Signing Requests (CSR)

•Import (Install) Provider-signed Certificates

•Generate Self-signed Certificates

Import a Keystore to Restore It from a Backup

Workflow Context

This topic is part of Workflow C.

Before You Begin

•Log in to AAI as admin.

•Export a keystore.

Procedure

Step 1 Choose CERTIFICATE_MANAGEMENT > IMPORT_KEYSTORE.

Step 2 Enter the passphrase from which your private key was derived.

Step 3 Press Enter.

Step 4 Use the first field to enter a routable IP address or DNS-resolvable FQDN for the FTP or SFTP server where you store your digital certificates.

Step 5 Press the down key.

Step 6 Use the second field to enter a username that has sufficient permissions to read your certificates from the server that you specified. Then, press Enter.

Step 7 Enter the password that authenticates the username. Then, press Enter.

Step 8 Enter the full pathname that points to your keystore file on the remote server. Then, press Enter.

Step 9 Stop. You have completed this procedure.

What to Do Next

•OPTIONAL — Would you like to verify any of your digital certificates? Go to the "View Identity Certificates" section.

Related Topics

•Export a Keystore to Back It Up

Reference

•Internet Assigned Names Agency (IANA) Country Codes

•FAQs and Troubleshooting

Internet Assigned Names Agency (IANA) Country Codes

Digital certificates use one standard set of codes to describe the international locations of entities whose identities are certified. IANA assigns these codes. IANA closely derives almost all of its codes from "A2" country and region codes, which the ISO 3166-1 alpha-2 standard defines. However, the set of IANA-assigned codes is not perfectly identical to the set of A2 codes. In some cases, IANA has defined new country and region codes for its own purposes. Some of these, in turn, were then added to ISO 3166.

Furthermore, geopolitical changes over time cause governmental federations to develop and dissolve. Lands are conquered, colonized, reapportioned, renamed, and so on. Slow but continual changes like these can create confusion about which country and region code to use in a certificate signing request (CSR). And while there are precedents for deleting country codes from ISO 3166, removal there does not result in immediate removal also from the country code top-level domains (ccTLDs) that exist in DNS.

Table 7-1 sorts countries and regions alphabetically by their names in English. Its cross-references redirect you in cases where geopolitical events, shared governance, or other factors might lead to confusion about which code to use.

FAQs and Troubleshooting

•FAQs

•Troubleshooting

FAQs

Q. What's the difference between a provider-signed certificate and a self-signed certificate?

A. Please compare and contrast these definitions from the "Glossary" section.

•signed

•self-signed

Troubleshooting

•Error Messages

Error Messages

Error messages guide you if problems affect your digital certificates. These messages describe a problem and suggest possible ways to solve it.

Error Message    Cannot process CA certificate.

Explanation    <exception message>

Recommended Action    Cause unknown. We cannot recommend any workaround.

Error Message    Cannot unpack <archive file path>. 

Explanation    The archive is corrupted or its source was not valid.

Recommended Action    Cause unknown. We cannot recommend any workaround.

Error Message    Certificate import failed. 

Explanation    An internal error occurred.

Recommended Action    Please contact Cisco technical support.

Error Message    Certificate import failed. 

Explanation    At least one parameter is not valid.

Recommended Action    Cause unknown. We cannot recommend any workaround.

Error Message    Certificate is not readable or does not exist.

Explanation    <absolute file path>

Recommended Action    Cause unknown. We cannot recommend any workaround.

Error Message    Certificate not yet valid.

Explanation    It takes effect in the future, on <date in YYYY-MM-DD format>.

Recommended Action    Please check that it is correct.

Error Message    Certificate rejected. 

Explanation    It does not match the newest certificate signing request (CSR) for <FQDN>.

Recommended Action    Please generate a new certificate signing request (CSR), and then contact your certification authority (CA).

Error Message    Certificate rejected. 

Explanation    It has expired and is no longer valid.

Recommended Action    Please generate a new certificate signing request (CSR), and then contact your certification authority (CA).

Error Message    Certificate rejected. 

Explanation    Its subject does not match <FQDN>.

Recommended Action    Please confirm that you imported the correct identity certificate. Alternatively, please generate a new certificate signing request (CSR), and then contact your certification authority (CA).

Error Message    Internal Error. 

Explanation    Cannot build certificate chain.

Recommended Action    Confirm that no CA certificates are missing.

Error Message    The certificate chain is broken. 

Explanation    An identity certificate is missing for <FQDN>.

Recommended Action    Please edit the certificate chain to include all digital certificates that your certification authority (CA) has issued to you.

Error Message    Warning! Browsers will reject this certificate. 

Explanation    It is self-signed.

Recommended Action    We recommend that you use certificates from a valid certification authority (CA).