Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Post a video
27741
Views
55
Helpful
23
Comments

How to sign certificates with a Microsoft CA

Jaime Valencia
Cisco Employee
Cisco Employee
‎10-19-2015 05:11 PM

 

(view in My Videos)

Through this video, I'll show you how to configure a Microsoft CA, running over a Windows 2012 Std server, to sign the tomcat certificate from CUCM.

I will assume you have already configured and installed the CA, if you need assistance on that topic, there's plenty of material on the web, you can use this as a reference:

https://technet.microsoft.com/en-us/library/cc731183.aspx

You might also want to change the validity period for your CA, if you're going to do this, I strongly recommend you do it right after you install your CA

https://support.microsoft.com/en-us/kb/254632

The keys mentioned in the above are still valid in newer releases.

Also, very important, bear in mind SHA1 has been deprecated, when you configure the CA, you should choose other option, I'm using SHA256 in my lab.

If you're going to be doing multi-server certificates and have public CA sign them, review the bugs mentioned in the Cert FAQ below, specially if you're on 10.5(x), as of November of this year, new changes in the procedure require all domains to be signed to be public domains, and the multi-server option will cause an error.

Any questions, comment, etc. you can reach me at javalenc@cisco.com

23 Comments
Muthurani Lavanya Paneerselvam
Level 9
Level 9
‎10-27-2015 11:59 PM
‎10-27-2015 11:59 PM

Jaime,

Very informative ! Kudos !

Regards

Lavanya

audvintech
Level 1
Level 1
‎11-12-2015 10:52 AM
‎11-12-2015 10:52 AM

Jaime, está excelente el video.

Nosotros estamos realizando un laboratorio en nuestras oficinas donde tenemos un CUCM, dos Expressway -C y E y un IM&P. Tomando como guía el video, estamos tratando de instalar los certificados en el CUCM y en el Expressway –C y no hemos logrado que se puedan validar los dos dispositivos.
Puedes por favor indicarnos cuales son los certificados que tenemos que instalar en ambos dispositivos para que puedan validarse o si tienes algún procedimiento para hacerlo.

Gracias,

Saludos.

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎11-12-2015 12:18 PM
‎11-12-2015 12:18 PM

El procedimiento es a grandes rasgos el mismo, los EXPs solo usan un certificado que debe tener client/server authentication. Del lado de CUCM sube Tomcat y IPsec, y verifica que el root certificate de quien firmo el certificado de CUCM se encuentre en el trust store de EXP-C y viceversa.

0 Helpful
audvintech
Level 1
Level 1
‎11-13-2015 11:08 AM
‎11-13-2015 11:08 AM

Jaime, 

Tenemos colocados los certificados tal como nos lo indicas, pero aún no podemos conectar al EXP-C con el CUCM. Nos muestra el siguiernte error:

"The Expressway-C cannot verify the self-signed CallManager certificate 'cucm-pub.dominio.local'. The trusted CA list has a matching entry but the Authority Key Identifier does not match that of the host which self-signed the CallManager certificate"

  Saludos, gracias.

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎11-13-2015 11:09 AM
‎11-13-2015 11:09 AM

El mensaje indica que el certificado que recibe con ese FQDN es un self-signed certificate, no uno firmado por otra entidad, si vas a usar self-signed, tienes que subir el root ca al EXP-C de quien firma el self-signed. Te recomiendo abras un caso con tu partner, o con el TAC para que puedan entrar a tu sistema a ver que error tienes en la configuración.

0 Helpful
audvintech
Level 1
Level 1
‎11-16-2015 10:06 AM
‎11-16-2015 10:06 AM

Jaime,

Gracias por la recomendación, abriremos el caso.

Saludos.

0 Helpful
audvintech
Level 1
Level 1
‎11-24-2015 11:39 AM
‎11-24-2015 11:39 AM

Saludos Jaime, gusto en saludarte.

Queria saber si se puede ver el video del seminario que hiciste hoy, referente a las soluciones de Colaboración de Cisco, lamenteblemente no pude conectarme.

Gracias.

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎11-24-2015 11:50 AM
‎11-24-2015 11:50 AM

La grabación estará disponible en aproximadamente 5 días, se va a postear en la comunidad en español en cuanto este lista.

0 Helpful
JustForVoice_2
Level 4
Level 4
‎02-02-2016 11:43 AM
‎02-02-2016 11:43 AM

Thank you for sharing (+5)

Can we have better quality video? 

Again thank you :)

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎02-02-2016 11:46 AM
‎02-02-2016 11:46 AM

For some reason, CSC appears to downgrade the quality of the videos, I actually recorded it at 720p, anyway, the ones on YouTube look better

https://www.youtube.com/playlist?list=PLFuOESqSTxEvZChqWgAJanctohRMe99CR

0 Helpful
JustForVoice_2
Level 4
Level 4
‎02-02-2016 11:55 AM
‎02-02-2016 11:55 AM

Thank you for sharing :)

what if I do not want to use MS server and I want to  deploy public digital certificate. 

shall I download the certificates and CSR to them or CSR only?

btw, I posted this post after seeing you video:

https://supportforums.cisco.com/discussion/12879421/jabber-pop-certificate-internal

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎02-02-2016 12:00 PM
‎02-02-2016 12:00 PM

This video is meant to cover, and provide the basics of how this work, if someone else is signing your CSRs, or you use some other option, like openSSL, you would simply generate the CSR, and have it signed.

Whoever is signing this, should provide you all necessary root/intermediate certs, as well as the server certificate. Most other CA options will honor the specs the CSR has in it, not MS CA, that's why I created the video, and explain the templates.

If you require assistance signing your certs, with some other alternative, I suggest you open a thread on that.

0 Helpful
Jacobo Gonzalez Juache
Level 1
Level 1
‎05-14-2016 09:02 AM
‎05-14-2016 09:02 AM

HI Jaime

I have a CUCM 10.5.2 a two Expressways C & E, these are in phase of deployment. I have a doubts with the certs.

If i do CSR to both CUCM and EXPs, with digest algoritm SHA256 and key length 2048, the CA Microsoft of my end customer has to configured to issue these certificates in the same digest algorithm and key length?
In this moment the CA Microsoft of my end customer is configured to issue certs with SHA1 and the key length es 2048.


At this point i did not get a secure connection with my cucm and my Expressways.I suspect that the CA do not issue my certs with correct algorithm.

Excellent Video. Thanks for shared this information.

Regards

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎05-14-2016 10:57 AM
‎05-14-2016 10:57 AM

SHA1 has been deprecated

https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

You can find a lot more info on that on google.

You don't necessarily need to use the same algorithm, but you certainly cannot be using SHA1 anymore, SHA256 is widely used, but you can use SHA2 as well, assuming you have verified compatibility for everything you'll be using it for.

As for the key length, yes, if the CSR is 2048, the certificate needs to be 2048, the cert template does not necessarily need to be configured for 2048, the field in the template is for minimum lenght.

0 Helpful
pmowry
Level 1
Level 1
‎10-24-2016 10:24 AM
‎10-24-2016 10:24 AM

Thanks for the detailed video.  But I have a question on what it takes to make new versions of Crome happy with their Certificate Transparency requirements.  What is the best approach to use for a private CA, and would you have a sample template change for a Microsoft CA?

Thank you,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Popular Articles
Customers Also Viewed These Support Documents