Creating CSRs

  • Log in to REM with tacaccount
  • Browse to
    cd /var/rem/etc/pki
  • Run the below command to create CSR file <servername>.csr
sudo openssl req -nodes -newkey rsa:2048 -keyout <servername>-KeyFile.key -out <servername>.csr
  • Export the CSR file created using WinSCP or an alternative method.
  • Request the CSR are signed and make sure that they also includes a SAN (subject Alternative Name) of the <FQDN-of-REM-ContentSwitch>, i.e. so that the cert which will be imported will include the server FQDN AND the Content Switch FQDN


where “” is the FQDN of the Content Switch VIP address for Remote Expert.

Importing Signed Certs

Note: before importing the Certs, decide and document passwords for the various keystores especially the password for file keystore.jks which location and password is configured the tomcat config file detailed below.

  • Using WinSCP copy the signed .cer files to /home/<tac-account>/
  • Log in to REM as tacaccount
  • Browser to cd /var/rem/etc/pki
  • Run the below command which will create the keystore file “keystore.pkcs12”
sudo openssl pkcs12 -export -out keystore.pkcs12 -in /home/<tacaccount>/<servername>.cer -inkey /var/rem/etc/pki/<servername>-KeyFile.key
  • this creates the file keystore.pkcs12
sudo keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
  • This creates the file keystore.jks which is reference by tomcat
  • edit the Tomcat server.xml config file
sudo vi /opt/cisco/server/tomcat/conf/server.xml
  • update the lines below which reference the keystore file
                port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                scheme="https" secure="true" SSLEnabled="true"
                clientAuth="false" sslProtocol="TLS"
  • Re-run the configuration script (but nothing needs changing in config file)