Self-sign certificates for Cisco Advanced Web Security Reporting application
This topic provides basic examples for creating the self-signed certificates in the command line using the version of OpenSSL included with Cisco Advanced Web Security Reporting application.
Since self-signed certificates are signed by your organization, they are not contained in browser certificate stores. As a result, web browsers consider self-signed certificates “untrusted”. This produces a warning page to users and may even prevent access for the user.
Self-signed certificates are best for browser to Cisco Advanced Web Security Reporting application communication that happens within an organization or between known entities where you can add your own CA to all browser stores that will contact Cisco Advanced Web Security Reporting application. For any other scenario, CA-signed certificates are recommended. See Get certificates signed by a third-party for Cisco Advanced Web Security Reporting application for more information.
Before You Begin
In this discussion, $AWSR_HOME
refers to the AWSR Enterprise installation directory. We recommend that you follow this convention, but if you do not, you
should replace $AWSR_HOME
with your installation directory when using these examples.
For Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog. Default home directories depend on your platform:
-
For Windows, the AWSR Enterprise directory is at
C:\Program Files\Cisco\
by default. -
For most Linux platforms, the default installation directory is at
/opt/
.
Generate a new root certificate to be your Certificate Authority
Procedure
Step 1 |
Create a new directory to host your certificates and keys. For this example we will use |
Step 2 |
Generate a new RSA private key. Cisco Advanced Web Security Reporting application supports 2048 bit keys, but you can specify larger keys if they are supported by your browser. On Linux:
On Windows: Note that in Windows you may need to append the location of the openssl.cnf file:
Cisco Advanced Web Security Reporting application supports 2048 bit keys, but you can specify larger keys if they are supported by your browser. |
Step 3 |
When prompted, create a password. The private key |
Step 4 |
Generate a certificate signing request using the root certificate private key On Linux:
On Windows:
|
Step 5 |
Provide the password to the private key A new CSR myCACertificate.csr appears in your directory. |
Step 6 |
Use the CSR to generate a new root certificate and sign it with your private key: On Linux:
On Windows:
|
Step 7 |
When prompted, provide for the password to the private key A new certificate |
Create a new private key for Cisco Advanced Web Security Reporting application
Procedure
Step 1 |
Generate a new private key: On Linux:
On Windows:
|
Step 2 |
When prompted, create a password. A new key, |
Step 3 |
Remove the password from your key. (Cisco Advanced Web Security Reporting application does not support password-protected private keys.) On Linux:
On Windows:
You can verify that your password was removed with the following command: On Linux:
On Windows:
You should be able to read the contents of your certificate without providing a password. |
Create and sign a server certificate
Procedure
Step 1 |
Create a new certificate signature request using your private key On Linux:
On Windows:
The CSR |
Step 2 |
Self-sign the CSR with the root certificate private key On Linux:
On Windows:
|
Step 3 |
When prompted, provide the password to the root certificate private key The certificate |
Create a single PEM file
Combine your server certificate and public certificates, in that order, into a single PEM file.
Here's an example of how to do this in Linux:
# cat myAWSRWebCert.pem myCACertificate.pem > myAWSRWebCertificate.pem
Here's an example in Windows:
# type myAWSRWebCert.pem myCACertificate.pem > myAWSRWebCertificate.pem
Set up certificate chains
To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:
<div class=samplecode
[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]
</div>
So for example, a certificate chain might look like this:
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the intermediate certificate)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA)...
-----END CERTIFICATE-----