cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Meeting Server Certificate Requirements Demystified

574
Views
0
Helpful
5
Comments
meddane
Frequent Contributor

I noticed that this part of Cisco Meeting Server Implementation Certificate Requirement is not enough detailed in many documentations and videos. Understanding this part of Certificate Requirement is mandatory to set up the Cisco Meeting Server and configure services such as webadmin, webbridge and callbridge, in this article I detailed as much as possible how to prepare the certificates how to deal with the certificate ‘s field such the Common Name, Subject Alternative Name and The chain certificate and how to enable the CMS Services.
See below a detailed explanation.

topo-edraw-1.png

 

Certificate Preparation for Cisco Meeting Server

Certificate configuration is required for the Call Bridge, XMPP, Web Bridge and Web Admin services. Certificates should be signed by internal or external certificate authorities.

To generate a Certificate Signing Request (CSR) and private key locally, the following command is used, I give the name cmscert.

1.png

 To retrieve the CSR, login to HQ-CMS using WinSCP.

Access the CA server 10.1.6.27.

Start the Certification Authority console, select Certificate Template. Right-click the Certificate Template and select Manage.

Duplicate the Web Server template and configure the duplicate template to allow server and client authentication.

2.png

 On the Certificate Console, issue a new certificate template named CMS.

3.png

 Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Request a certificate and the click advanced request certificate.

4.png

Edit the CSR in notepade and past the content. In the Certificate Template, select Cisco Meeting Server.

Select Base 64 Encoded and click Download certificate.

5.png

6.png

 Below the Certificate named cmscert after submitting the CSR to the CA.

7.png

 A chain certificate is required to trust the cmscert certificate when you will enable webadmin, callbridge.

A chain certificate is a single file (with an extension of .pem, .cer or.crt) holding a copy of the Root CA’s certificate and all intermediate certificates in the chain.

To create a chain certificate, you need the Root CA or the CA’s certificate and a Subordinate CA’s certificate with the Common Name : collab.com.

To get a Subordinate CA’s certificate, we need to generate a CSR.

You can use openssl tool to generate a CSR with Common Name : collab.com.

If you did not install openssl, you can generate the CSR on Cisco Meeting Server.

Access the HQ-CMS GUI using the url https://10.1.5.20:445.

From the CLI, type the following command, the name of the CSR is adcert and the Common Name is collab.com.

hq-cms>pki csr adcert CN:collab.com OU:CCNP O:Collaboration L:Hydra ST:Algiers C:AL

Retrieve the CSR named adcert using WinSCP, access HQ-CMS using WinSCP, then copy the adcert CSR into your PC.

8.png

 Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Request a certificate and the click advanced request certificate.

9.png

Edit the CSR in notepade and past the content. In the Certificate Template, select Subordinate Certification Authority.

 Select Base 64 Encoded and click Download certificate.

10.png

Below the the Certificate named adcert after submitting the CSR to the CA.

11.png

 Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Download a CA certificate, certificate chain, or CRL.

12.png

 Select Base 64, then click Download CA certificate, name it Root-CA.

13.png

 Below the CA’s certificate.

14.png

 Now the CA’s certificate and the Subordinate CA’s certificate with the Common Name : collab.com are ready, we can create a chain certificate.

To create a chain certificate, use a plain text editor such as notepad. All of the characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between —–END CERTIFICATE—– of certificate 1 and —–BEGIN CERTIFICATE—– of certificate 2. Certificate 1 will end with —–END CERTIFICATE—– and the very next line will have —–BEGIN CERTIFICATE—- for certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.

Edit the certificate named adcert created previously with nodepad.

15.png

 Edit the Root-CA certificate with nodepad.

16.png

 Past the adcert certificate first and then past the Root-CA certificate at the end, save the file with .cer extension. Name it CA-Chain.cer.

17.png

 Below the Chain Certificate named CA-Chain.

18.png

 A chain certificate is also required for Webbridge3 in version 3.

Edit the certificate named cmscert created previously with nodepad.

19.png

 Edit the CA-Chain certificate created previously with nodepad.

20.png

 Past the cmscert certificate first and then past the CA-Chain certificate at the end, save the file with .cer extension. Name it CMS-Chain.cer.

21.png

 Below the Chain Certificate named CMS-Chain.

22.png

 Copy the three certificates cmscert, CA-Chain and CMS-Chain to hq-cms using WinSCP.

23.png

 You can use the pki list command to verify that the three certificates are present.

24.png

 Enabling the Web Admin Service

By default, Web Admin listens on HTTPS port of 443. However, we will enable the Web Bridge for conference users and this service will be available on the default HTTPS port 443. To enable both services to co-exist, we will configure Web Admin to listen on port 445.

On HQ-CMS, specify the interface and HTTPS port 445 for the web interface.

25.png

 For the certificate to be used, specify the certificate cmscert created in previously with the relevant key.

26.png

 Finally activate the web admin service.

27.png

 Callbridge Configuration

Configure callbridge on HQ-CMS listen on the interface a.

Specify the certificate cmscert created in previously with the relevant key.

Restart the callbridge

28.png

 Verify the callbridge on both HQ-CMS.

29.png

 Webbridge 3 Configuration

From the HQ-CMS CLI, enter the following commands.

30.png

 On HQ-CMS,verify the webbridge3 configuration.

31.png

 

 

5 Comments
onyegbadocu
Beginner

My certificates have client and server authentication.The webbridge3 url is not displaying any web page.

error: c2w://cms.domain.com:9999 connection failed ..

i have not been able to see where to enter guest url in cms 3.2. can you help?

 

meddane
Frequent Contributor

The most common problem of this kind of errors is the DNS resolution, the WebBridge should be able to resolve the cms.domain.com to the IP of the call bridge, the internal DNS should have A record cms.domain.com to IP of callbridge, can you confirm me if the certificates configuration for callbridge and webbridge3 is correct as shown in my article.

 

For the guest url, starting with CMS version 3.0.0, it can be entered in the API configuration, in the same webbridge section where you configured already c2w://cms.domain.com:9999, the url of the guest url should start with HTTPS://

 

Below a capture of my implementation

 

WEBBRIGDE.PNG

 

collinks2
Contributor

thanks for your swift response.Yes the certificates are all showing success..

I will enter the guest url and check.My dns is working very well .

if I type in the web browser,cms.domain.com:445,cms web page will display.

if type https://join.fuotuoke.edu.ng

it won't load the page

i will keep you posted

 

collinks2
Contributor

check screenshotswebbridge3.PNGwebbridge3-error.PNGwebbridge3url.PNG

meddane
Frequent Contributor

Can i have the output of the callbridge and webbridge3 command?

Create
Recognize Your Peers
Content for Community-Ad