Creating CSRs

  • Log in to REM with tacaccount
  • Browse to
    cd /var/rem/etc/pki
  • Run the below command to create CSR file <servername>.csr
sudo openssl req -nodes -newkey rsa:2048 -keyout <servername>-KeyFile.key -out <servername>.csr
  • Export the CSR file created using WinSCP or an alternative method.
  • Request the CSR are signed and make sure that they also includes a SAN (subject Alternative Name) of the <FQDN-of-REM-ContentSwitch>, i.e. so that the cert which will be imported will include the server FQDN AND the Content Switch FQDN

e.g. CN=remoteexpert-serverA.mydomain.com
SAN=remote-expert.mydomain.com

where “remote-expert.mydomain.com” is the FQDN of the Content Switch VIP address for Remote Expert.

Importing Signed Certs

Note: before importing the Certs, decide and document passwords for the various keystores especially the password for file keystore.jks which location and password is configured the tomcat config file detailed below.

  • Using WinSCP copy the signed .cer files to /home/<tac-account>/
  • Log in to REM as tacaccount
  • Browser to cd /var/rem/etc/pki
  • Run the below command which will create the keystore file “keystore.pkcs12”
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /home/<tacaccount>/<servername>.cer -inkey /var/rem/etc/pki/<servername>-KeyFile.key
  • this creates the file keystore.pkcs12
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
  • This creates the file keystore.jks which is reference by tomcat
  • edit the Tomcat server.xml config file
sudo vi /opt/cisco/server/tomcat/conf/server.xml
  • update the lines below which reference the keystore file
 <Connector
                port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                maxThreads="2000"
                acceptorThreadCount="2"
                URIEncoding="UTF-8"
                connectionTimeout="20000"
                scheme="https" secure="true" SSLEnabled="true"
                keystoreFile="/var/rem/etc/pki/<keystore-filename>.jks"
                keystorePass="<enter-your-password-here>"
                clientAuth="false" sslProtocol="TLS"
                sslEnabledProtocols="TLSv1.2"
                />
  • Re-run the configuration script (but nothing needs changing in config file)