Frequently Asked Questions - What information is required to create a Certificate Signing Request file (.csr)?

The table below lists the attributes which you should specify when creating a Certificate Signing Request file (.csr) for either a local or public Certificate Authority to sign. Those marked optional can be omitted if you are creating a certificate request file using the pki csr command for signing by a local CA.

Attribute		Description	Optional/Required
CN	Common Name	This is the fully qualified domain name (FQDN) that specifies the server’s exact location in the Domain Name System (DNS). For example, a component with hostname webBridge1 and parent domain example.com has the fully qualified domain name webBridge1.example.com. The FQDN uniquely distinguishes the component from any other components called webBridge1 in other domains.	Required, see notes below
O	Organization or Business name	Usually the legal incorporated name of a company. It should include any suffixes such as Ltd., Inc., or Corp. Use “” around the attribute if more than one word, e.g. “Example Inc.”	Optional
OU	Organizational unit or Department name	For example, Support, IT, Engineering, Finance. Use “” around the attribute if more than one word, e.g. “Human Resources”	Optional
L	Location	City or town. For example, London, Boston, Milan, Berlin.	Optional
ST	Province, Region, County or State	For example, Buckinghamshire, California. Do not abbreviate. Use “” around the attribute if more than one word, e.g. “New Jersey”	Optional
C	Country	The two-letter ISO code for the country where your organization is located. For example, US, GB, FR.	Optional
An email address		An email address to contact the organization. Usually the email address of the certificate administrator or IT department.	Optional
SAN	Subject Alternative Name	From X509 Version 3 (RFC 2459), SSL certificates are allowed to specify multiple names that the certificate should match. This field enables the generated certificate to cover multiple domains. It can contain IP addresses, domain names, email addresses, regular DNS host names, etc, separated by commas. If you specify this list you must also include the CN in this list. Although this is an optional field, the SAN field must be completed in order for XMPP clients to accept a certificate, otherwise the XMPP clients will display a certificate error.	Required for XMPP server certificates or if a single certificate is to be used across multiple components. See note below. Note: XMPP server is not supported from version 3.0

Note on using a dedicated certificate for the Web Bridge: in the CN field, specify the FQDN that is defined in the DNS A record for the Web Bridge. Failure to specify the FQDN may result in browser certificate errors.

Note: The XMPP server component is not supported from version 3.0, and has been removed from the Cisco Meeting Server software.

Note on using a dedicated certificate for the XMPP Server: in the CN field, specify the FQDN that is defined in the DNS SRV record for the XMPP Server. In the subjectAltName field specify the domain name of the XMPP server and the DNS SRV record for the XMPP Server

Note on using the same certificate across multiple components: If you intend to use the same certificate for the Web Bridge, XMPP Server and Call Bridge, then specify your domain name (DN) in the CN field, and in the SAN field specify your domain name (DN) and the FQDN for each of the components that will use the certificate.

Note on using the SAN field: ensure there are no spaces between the "," delimiter and the items in the list.

For example:

CN=example.com

SAN=callbridge.example.com,xmppserver.example.com,webbridge.example.com,example.com

If using the pki csr command:

pki csr <key/cert basename> <CN:value> [OU:<value>] [O:<value>] [ST:<value>] [C:<value>] [<subjectAltName:value>]

the command is:

pki csr onecert CN:example.com subjectAltName:callbridge.example.com,xmppserver.example.com,webbridge.example.com

Note: if you use the pki command, the CN is automatically appended to the SAN list, do not list the CN in the SAN list, as shown in the example above.

For more information, see Certificate Guidelines.

Last update:: 27-Aug-2020
FAQ ID:: 1250