This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ACS 4.2. If you are unable to use these instructions for your server, Symantec recommends that you contact Cisco.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
To generate a Certificate Signing Request (CSR), please perform the following steps:
- In the navigation bar, click System Configuration
- Click ACS Certificate Setup. Then click Generate Certificate Signing Request
- Cisco Secure ACS displays the Generate Certificate Signing Request page.
- In the Certificate Subject box, type the values for the certificate fields required by Symantec
NOTE: The format is: Field=Value, Field=value, where field is the field name such as CN, and value is the applicable value for that field
You can type a maximum of 256 characters in the Certificate Subject box. Separate values with commas.
CN=www.symantec.com, O=Symantec Corporation., OU=Department, C=US, S=California, L=Mountain View
- The following information defines the valid fields that you can include in the "Certificate Subject" box:
CN= The fully-qualified domain name to which your certificate will be issued.
OU= This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
O= The full legal name of your company.
L= Usually the city of your organization's main office, or a main office for your organization.
S= Enter the full name of your state or province.
Note: Make sure the State or Province is not abbreviated (e.g. California).
C= Enter the two-character abbreviation of country in which organization resides (e.g. US).
E= Email address (This is not needed for our system to generate a certificate, and will be ignored)
- In the Private Key File box, type the full directory path and name of the file in which the private key is saved.
For example: c:\privatekeyfile.pem
- In the private key password box, create a private key password for your private key.
NOTE: Make sure to save your private key password. You will need to use this password again. If you loose your password,
you will not have access to your private key and the certificate will not install when received.
- In the Retype Private Key Password box, retype the private key password.
- From the Key Length list, select the length of the key to be used.
NOTE: All certificates that will expire after October 2013 must have a 2048-bit key size.
- From the Digest to Sign With List, select the digest (or hash algorithm).
- Click Submit. Cisco Secure ACS displays a CSR on the right side of the browser.
- To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad that does not add extra characters
- Verify your CSR
- During certificate enrollment, you will be asked to select a server platform. Choose Apache.
Once the SSL certificate has been issued, follow the steps from this link to install it on the server: SO22577