CSM - How to install Third-Party SSL Certificates for GUI access

Available Languages

Download Options

  • PDF     (166.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (228.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (142.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 31, 2018
Document ID:212708

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    Cisco Security Manager (CSM) provides an option to use security certificates issued by third-party Certificate Authorities (CAs). These certificates can be used when the organizational policy prevents from using CSM self-signed certificates or requires systems to use a certificate obtained from a particular CA.

    TLS/SSL uses these certificates for communication between CSM Server and the client browser. This document describes the steps to generate a Certificate Signing Request (CSR) in CSM and how to install the identity and root CA certificates in the same.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Knowledge of SSL Certificates Architecture.
    • Basic Knowledge of Cisco Security Manager.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Security Manager version 4.11 and later.

    CSR creation from the User Interface

    This section describes how to generate a CSR. 

    Step 1. Run the Cisco Security Manager home page and select Server Administration > Server  > Security > Single-Server Management > Certificate Setup.

    Step 2. Enter the values required for the fields described in this table:

    Field

    Usage Notes

    Country Name

    Two character country code.

    State or Province

    Two character state or province code or the complete name of the state or province.

    Locality

    Two character city or town code or the complete name of the city or town.

    Organization Name

    Complete name of your organization or an abbreviation.

    Organization Unit Name

    Complete name of your department or an abbreviation.

    Server Name

    DNS name, IP Address or hostname of the computer.

    Enter the server name with a proper and resolvable domain name. This is displayed on your certificate (whether self-signed or third party issued). Local host or 127.0.0.1 should not be given.

    Email Address

    E-mail address to which the mail has to be sent.

    Step 3. Click Apply to create the CSR.

           The process generates the following files:

      • server.key—Server's private key.
      • server.crt—Server's self- signed certificate.
      • server.pk8—Server's private key in PKCS#8 format.
      • server.csr—Certificate Signing Request (CSR) file.

    Note: This is the path for the generated files.
    ~CSCOpx\MDC\Apache\conf\ssl\chain.cer
    ~CSCOpx\MDC\Apache\conf\ssl\server.crt
    ~CSCOpx\MDC\Apache\conf\ssl\server.csr
    ~CSCOpx\MDC\Apache\conf\ssl\server.pk8
    ~CSCOpx\MDC\Apache\conf\ssl\server.key

    Note: If the certificate is a self-signed certificate, then you cannot modify this information.

    Identity Certificate Upload into CSM Server

    This section describes how to upload the Identity Certificate provided by the CA to the CSM Server

      

    Step 1 Find the SSL Utility Script available at this location

    NMSROOT\MDC\Apache

    Note: NMSROOT must be replaced by the directory where CSM is installed. 

    This utility has these options.

    Number

    Option

    What it Does... 

    1

    Display Server certificate information
    • Displays the Certificate details of the CSM Server.

    For third party issued certificates, this option displays the details of the server certificate, the intermediate certificates, if any, and the Root CA certificate.

    • Verifies if the certificate is valid.

    2

    Display the input certificate information

    This option accepts a certificate as an input and:

    • Verifies whether the certificate is in encoded X.509 certificate format.
    • Displays the subject of the certificate and the details of the issuing certificate.
    • Verifies whether the certificate is valid on the server.

    3

    Display Root CA certificates trusted by Server

    Generates a list of all Root CA Certificates.

    4

    Verify the input certificate or certificate chain

    Verifies whether the server certificate issued by third party CAs, can be uploaded.

    When you choose this option, the utility:

    • Verifies if the certificate is in Base64 Encoded X.509Certificate format.
    • Verifies if the certificate is valid on the server
    • Verifies if the server private key and input server certificate match.
    • Verifies if the server certificate can be traced to the required Root CA certificate using which it was signed.
    • Constructs the certificate chain, if the intermediate chains are also given, and verifies if the chain ends with the proper Root CA certificate.

    After the verification is successfully completed, you are prompted to upload the certificates to CSM Server.

    The utility displays an error:

    • If the input certificates are not in required format
    • If the certificate date is not valid or if the certificate has already expired.
    • If the server certificate could not be verified or traced to a root CA certificate.
    • If any of the intermediate Certificates were not given as input.
    • If the server's private key is missing or if the server certificate that is being uploaded could not be verified with the server's private key.

    You must contact the CA who issued the certificates to correct these problems before you upload the certificates to CSM.

    5

    Upload single server certificate to Server

    You must verify the certificates using option 4 before you select this option.

    Select this option, only if there are no intermediate certificates and there is only the server certificate signed by a prominent Root CA certificate.

    If the Root CA is not one trusted by CSM, do not select this option.

    In such cases, you must obtain a Root CA certificate used for signing the certificate from the CA and upload both the certificates using option 6.

    When you select this option, and provide the location of the certificate, the utility:

    • Verifies whether the certificate is in Base64 Encoded X.509 certificate format.
    • Displays the subject of the certificate and the details of the issuing certificate.
    • Verifies whether the certificate is valid on the server.
    • Verifies whether the server private key and input server certificate match.
    • Verifies whether the server certificate can be traced to the required Root CA certificate which was used for signing.

    After the verification is successfully completed, the utility uploads the certificate to CiscoWorks Server.

    The utility displays an error:

    • If the input certificates are not in required format
    • If the certificate date is not valid or if the certificate has already expired.
    • If the server certificate could not be verified or traced to a root CA certificate.
    • If the server's private key is missing or if the server certificate that is being uploaded could not be verified with the server's private key.

    You must contact the CA who issued the certificates to correct these problems before you upload the certificates in CSM again.

    6

    Upload a certificate chain to Server

    You must verify the certificates using option 4 before you select this option.

    Select this option, if you are uploading a certificate chain. If you are also uploading the root CA certificate also, you must include it as one of the certificates in the chain.

    When you select this option and provide the location of the certificates, the utility:

    • Verifies whether the certificate is in Base64 Encoded X.509 Certificate format.
    • Displays the subject of the certificate and the details of the issuing certificate.
    • Verifies whether the certificate is valid on the server
    • Verifies whether server private key and the server certificate match.
    • Verifies whether the server certificate can be traced to the root CA certificate which was used for signing.
    • Constructs the certificate chain, if intermediate chains are given and verifies if the chain ends with the proper root CA certificate.

    After the verification is successfully completed, the server certificate is uploaded to CiscoWorks Server.

    All the intermediate certificates and the Root CA certificate are uploaded and copied to the CSM TrustStore.

    The utility displays an error:

    • If the input certificates are not in required format.
    • If the certificate date is not valid or if the certificate has already expired.
    • If the server certificate could not be verified or traced to a root CA certificate.
    • If any of the intermediate certificates were not given as input.
    • If the server's private key is missing or if the server certificate that is being uploaded could not be verified with the server's private key.

    You must contact the CA who issued the certificates to correct these problems before you upload the certificates in CiscoWorks again.

    7

    Modify Common Services Certificate

    This option allows you to modify the Host Name entry in the Common Services Certificate.

    You can enter an alternate Hostname if you wish to change the existing Host Name entry.

    Step 2 Use Option 1 to get a copy of the current certificate and save it for future reference. 

    Step 3 Stop the CSM Daemon Manager using this command on Windows Command Prompt before starting the certificate upload process.

    net stop crmdmgtd

    Note: CSM services goes down using this command. Make sure there are no deployments active during this procedure. 

    Step 4 Open SSL Utility one more time. This Utility can be opened using the Command Prompt by navigating to the previously mentioned path and using this command.

    perl SSLUtil.pl

    Step 5 Select Option 4Verify the input Certificate/ Certificate Chain.

    Step 6 Enter the certificates location (server certificate and intermediate certificate).  

      

    NoteThe script verifies if the server certificate is valid. After the verification is complete, the utility displays the options. If the script reports errors during validation and verification, the SSL Utility displays instructions to correct these errors. Follow the instructions to correct those problems and then try the same option one more time.

    Step 7 Select any of the next two options.

    Select Option 5 if there is only one certificate to upload, that is if the server certificate is signed by a Root CA certificate.

            OR

    Select Option 6 if there is a certificate chain to upload, that is if there is a server certificate and intermediate certificate.

    NoteCiscoWorks does not allow to proceed with the upload if CSM Daemon Manager hasn't been stopped. The utility displays a warning message if there are hostname mismatches detected in the server certificate being uploaded, but the upload can be continued.

    Step 8 Enter these required details.

      • Location of the certificate
      • Location of intermediate certificates, if any.

    SSL Utility uploads the certificates if all the details are correct and the certificates meet CSM requirements for security certificates.

    Step 9 Restart the CSM Daemon Manager for the new change to take effect and enable CSM services.

      

    net start crmdmgtd

    Note: Await for an overall of 10 minutes for all of the CSM services to be re-started.

    Step 10 Confirm the CSM is using the identity certificate installed. 

    NoteDon't forget to install the root and intermediate CA certificates in the PC or server from where the SSL connection is being stablished to the CSM.

      

    TAC Authored

    Contributed by Cisco Engineers

    • David Roman
      Cisco TAC
    • Christian Hernandez
      Cisco TAC
    • Cesar Lopez Zamarripa
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products