Introduction
This document describes how to generate a Certificate Signing Request (CSR) in order to obtain a third-party certificate and how to download a chained certificate to Cisco Connected Mobile Experiences (CMX).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Basic knowledge of Linux
- Public Key Infrastructure (PKI)
- Digital Certificates
Components Used
The information in this document is based on CMX version 10.3
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Generate the CSR
Step 1. Connect to the CLI of CMX, access as root, move to the certificate directory and create a folder for the CSR and the key file.
[cmxadmin@cmx]$ su -
Password:
[root@cmx]# cd /opt/haproxy/ssl/
[root@cmx]# mkdir newcert
[root@cmx]# cd newcert
Note: The default directory for certificates on CMX is /opt/haproxy/ssl/.
Step 2. Generate the CSR and key file.
[root@cmx newcert]# openssl req -nodes -days 365 -newkey rsa:2048 -keyout /opt/haproxy/ssl/newcert/private.key -out /opt/haproxy/ssl/newcert/cert.crt
Generating a 2048 bit RSA private key
........+++
......................+++
writing new private key to '/opt/haproxy/ssl/newcert/private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MX
State or Province Name (full name) []:Tlaxcala
Locality Name (eg, city) [Default City]:Tlaxcala
Organization Name (eg, company) [Default Company Ltd]:Cisco
Organizational Unit Name (eg, section) []:TAC
Common Name (eg, your name or your server's hostname) []:cmx.example.com
Email Address []:cmx@example.com
Step 3. Get the CSR signed by the Third-Party.
In order to get the certificate from CMX and send it to the Third-Party, run the cat command to open the CSR. You can copy and paste the output into a .txt file or change the extension based on the requirements of the Third-Party. Here is an example.
[root@cmx newcert]# cat cert.crt
-----BEGIN CERTIFICATE REQUEST-----
MIIC0TCCAbkCAQAwgYsxCzAJBgNVBAYTAk1YMREwDwYDVQQIDAhUbGF4Y2FsYTER
MA8GA1UEBwwIVGxheGNhbGExDjAMBgNVBAoMBUNpc2NvMQwwCgYDVQQLDANUQUMx
GDAWBgNVBAMMD2NteC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPY214QGV4
YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2YybDkDR
vRSwD19EVaJehsNjG9Cyo3vQPOPcAAdgjFBpUHMt8QNgn6YFdHYZdpKaRTJXhztm
fa/7Nevb1IP/pSBgYRxHXQEhl9Gj4DT0gT2T+AZ8j3J9KMSe8Bakj4qY8Ua7GCdC
A62NzVcDxDM83gUD92oGbxOF9VFE2hiRvCQc+d6gBRuTOXxtyLBAtcL3hkiOEQx7
sDA55CwZU7ysMdWHUBn4AglzI1gPyzlmT3dwR0gfOSYN4j5+H0nrYtrPBZSUbZaa
8pGXVu7sFtV8bahgtnYiCUtiz9J+k5V9DBjqpSzYzb3+KxeAA+g0iV3J1VzsLNt7
mVocT9oPaOEI8wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI6Q/A4zTfrWP2uS
xtN8X6p6aP8guU0bTWhGEMBEgBQd0bBWYdhxaItGt1a1tdNcIGLACeMPuk7WpsiH
rUs5kiIjlAc2/ANBao6/nlv56vhGUx0dOq0fk/glbrKL+a8Lx9ixtee77aPZ1xVD
A/n3FdNdSIidWH0M4q8JunxbT33vM9h8H6oqe/JI3BDnw4tRnkYaGWJsyWUlPCuO
TWPMagMkntv0JaEOHLg4/JZyVSdDiTnmb/U8cEH2RrcUP8iwjykDpb/V4tb4VtgM
7+9HKxQRQHq5Qji8/QyMG6ctoD+B7k6UpzXvi5FpvqGQWwXJNC52suAt0QeeZj1J
rpudLUs=
-----END CERTIFICATE REQUEST-----
[root@cmx newcert]#
Step 4. Create the certificate chain for import into CMX.
In order to create the final certificate, copy and paste the signed certificate into a .txt file with the private key, intermediate certificate, and root certificate. Ensure you save it as a .pem file.
This example shows the format of the final certificate.
-----BEGIN RSA PRIVATE KEY----- < Your Private Key
MIIEpAIBAAKCAQEA2gXgEo7ouyBfWwCktcYo8ABwFw3d0yG5rvZRHvS2b3FwFRw5
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- < Your CMX server signed certificate
MIIFEzCCAvugAwIBAgIBFzANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- < Your intermediate CA certificates
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- < The root CA certificate that signed your certificate
MIIGqjCCBJKgAwIBAgIJAPj9p1QMdTgoMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
...
-----END CERTIFICATE-----
Step 5. Transfer the final certificate into CMX.
In order to transfer the final certificate to CMX from your computer, open your SFTP application and connect to CMX with the admin credentials. You must be able to view the folders of CMX as shown in the image.
Then, drag and drop the chained certificate to the folder /home/cmxadmin/.
Note: The default directory when you open a SFTP connection to CMX is /home/cmxadmin/.
Step 6. Change the permission of the final certificate and owner. Then move it to the folder that contains the private key. Here is an example.
[root@cmx ~]# cd /home/cmxadmin/
[root@cmx cmxadmin]# chmod 775 final.pem
[root@cmx cmxadmin]# chown cmx:cmx final.pem
[root@cmx cmxadmin]# mv final.pem /opt/haproxy/ssl/newcert/
[root@cmx cmxadmin]# cd /opt/haproxy/ssl/newcert/
[root@cmx newcert]# ls -la
total 16
drwxr-xr-x 2 root root 4096 Apr 25 12:30 .
drwxr-xr-x 4 cmx cmx 4096 Apr 25 09:25 ..
-rw-r--r-- 1 root root 1054 Apr 25 11:01 cert.crt
-rwxrwxr-x 1 cmx cmx 0 Apr 25 12:29 final.pem
-rw-r--r-- 1 root root 1708 Apr 25 11:01 private.key
[root@cmx newcert]#
Step 7. Ensure that everything is properly built.
[root@cmx newcert]#openssl verify -CAfile /opt/haproxy/ssl/newcert/final.pem /opt/haproxy/ssl/newcert/final.pem
/opt/haproxy/ssl/newcert/final.pem: OK
You must get an OK message.
Step 8. Install the final certificate and reboot CMX.
[root@cmx newcert]#cmxctl node sslmode enable --pem /opt/haproxy/ssl/newcert/final.pem
enabling ssl
ssl enabled
[root@cmx newcert]#reboot
Step 9 (Optional). If you run CMX 10.3.1 or above, you can be affected by this bug:
- CSCvh21464 : CMX WEBUI doesnt use the installed self signed or third party certificate
This bug prevents CMX to update the certificate path. The workaround to solve this issue is to create two soft-links to point to the new certificate and private key, and reload CMX. Here is an example:
[root@cmx ~]# cd /opt/haproxy/ssl/
[root@cmx ssl]# mkdir backup
[root@cmx ssl]# mv host.pem backup/
[root@cmx ssl]# mv host.key backup/
[root@cmx ssl]# ln -s /opt/haproxy/ssl/newcert/final.pem host.pem
[root@cmx ssl]# ln -s /opt/haproxy/ssl/newcert/private.key host.key
[root@cmx ssl]#
[root@cmx ssl]# ls -la
total 16
drwxr-xr-x 4 cmx cmx 4096 Apr 25 12:59 .
drwxr-xr-x 6 cmx cmx 4096 Mar 31 2017 ..
lrwxrwxrwx 1 root root 36 Mar 26 09:58 host.key -> /opt/haproxy/ssl/newcert/private.key
lrwxrwxrwx 1 root root 38 Mar 26 09:58 host.pem -> /opt/haproxy/ssl/newcert/final.pem
drwxr-xr-x 2 root root 4096 Apr 25 12:30 newcert
[root@cmx ssl]#
[root@cmx ssl]# reboot
Verify
Open the GUI of CMX, in this case Google Chrome is used. Open the certificate by click on the Secure tab that is next to the URL and review the details as shown in the image.