There’s multiple reasons you might want to export the certificate from Cisco Expressway. Maybe you need to replace the server, move a certificate from one cluster node to another cluster node, back up the keys, or simply use it somewhere else.
Recently I was setting up a cluster and forgot to generate the key and CSR locally. Using OpenSSL locally the first time is the best way I’ve found to move, secure, and backup keys without needing an export. However, I forgot and generated the CSR on the Expressway node. I received the signed certificate from the CA and landed in this predicament. Expressway doesn’t have an export button so you have to go digging. Grab the shovel.
Fortunately you have root access to Cisco Expressway. (If we were only so lucky with Communications Manager.)
I’m not suggesting that any modifications be done with this method. Even though a quick poking around ssl.conf proves it’s not as complex as you’d think. We’re just looking at files.
SSH as root and you’ll find the certs in this directory.
The two files server.pem and privkey.pem are the files you’re looking for. However, for sanity purposes I’ll show you how to verify this is the key you’re looking for. The public key modulus and the private key modulus should match.
If you want to verify the modulus block as part of the cert text then do this:
openssl x509 -in server.pem -text -noout
openssl rsa -in privkey.pem -text -noout
If you want to check it without the cert text:
openssl x509 -in server.pem -modulus -noout
openssl rsa -in privkey.pem -modulus -noout
And the real shortcut is using an md5 to match:
openssl x509 -in server.pem -modulus -noout | openssl md5
openssl rsa -in privkey.pem -modulus -noout | openssl md5
So now you’ve done the comparison, it matches and you want to grab the private key:
Copy pasta the text block and save using your favorite editor. Now you have the files you need to upload to the other nodes using the GUI. Yes, there are ways to automate/move things around underneath without Expressway losing it’s mind, but this method is simple enough for everyone.