There’s multiple reasons you might want to export the certificate from Cisco Expressway. Maybe you need to replace the server, move a certificate from one cluster node to another cluster node, back up the keys, or simply use it somewhere else.
Recently I was setting up a cluster and forgot to generate the key and CSR locally. Using OpenSSL locally the first time is the best way I’ve found to move, secure, and backup keys without needing an export. However, I forgot and generated the CSR on the Expressway node. I received the signed certificate from the CA and landed in this predicament. Expressway doesn’t have an export button so you have to go digging. Grab the shovel.
Fortunately you have root access to Cisco Expressway. (If we were only so lucky with Communications Manager.)
I’m not suggesting that any modifications be done with this method. Even though a quick poking around ssl.conf proves it’s not as complex as you’d think. We’re just looking at files.
SSH as root and you’ll find the certs in this directory.
cd /tandberg/persistent/certs
The two files server.pem and privkey.pem are the files you’re looking for. However, for sanity purposes I’ll show you how to verify this is the key you’re looking for. The public key modulus and the private key modulus should match.
If you want to verify the modulus block as part of the cert text then do this:
openssl x509 -in server.pem -text -noout
openssl rsa -in privkey.pem -text -noout
If you want to check it without the cert text:
openssl x509 -in server.pem -modulus -noout
openssl rsa -in privkey.pem -modulus -noout
And the real shortcut is using an md5 to match:
openssl x509 -in server.pem -modulus -noout | openssl md5
openssl rsa -in privkey.pem -modulus -noout | openssl md5
So now you’ve done the comparison, it matches and you want to grab the private key:
cat privkey.pem
Copy pasta the text block and save using your favorite editor. Now you have the files you need to upload to the other nodes using the GUI. Yes, there are ways to automate/move things around underneath without Expressway losing it’s mind, but this method is simple enough for everyone.
shh.. don’t let em take away our root account 😉
They’ll take it away soon for federal compliance
Source or conjecture?
Conjecture! But they’ll have to do this to achieve FedRAMP.
As soon as this product becomes a federal requirement, root access will go. The same happened with Prime Collaboration, which has been hardened from when it had root access in v10.6.
what format do you save the text file to? can I just save it as a text file, then change the extension to .pem? or .der?
What format do I upload the private key back to the Expressway in? I saved it off as a txt file, do I just change the extension to .pem or .der and upload?
You’ll be working with Base64 formatted .pem