cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays

How to sign certificates with a Microsoft CA

22527
Views
55
Helpful
23
Comments
Jaime Valencia
Hall of Fame Cisco Employee

 

Through this video, I'll show you how to configure a Microsoft CA, running over a Windows 2012 Std server, to sign the tomcat certificate from CUCM.

I will assume you have already configured and installed the CA, if you need assistance on that topic, there's plenty of material on the web, you can use this as a reference:

https://technet.microsoft.com/en-us/library/cc731183.aspx

You might also want to change the validity period for your CA, if you're going to do this, I strongly recommend you do it right after you install your CA

https://support.microsoft.com/en-us/kb/254632

The keys mentioned in the above are still valid in newer releases.

Also, very important, bear in mind SHA1 has been deprecated, when you configure the CA, you should choose other option, I'm using SHA256 in my lab.

If you're going to be doing multi-server certificates and have public CA sign them, review the bugs mentioned in the Cert FAQ below, specially if you're on 10.5(x), as of November of this year, new changes in the procedure require all domains to be signed to be public domains, and the multi-server option will cause an error.

Any questions, comment, etc. you can reach me at javalenc@cisco.com

23 Comments

Jaime,

Very informative ! Kudos !

Regards

Lavanya

audvintech
Beginner

Jaime, está excelente el video.

Nosotros estamos realizando un laboratorio en nuestras oficinas donde tenemos un CUCM, dos Expressway -C y E y un IM&P. Tomando como guía el video, estamos tratando de instalar los certificados en el CUCM y en el Expressway –C y no hemos logrado que se puedan validar los dos dispositivos.
Puedes por favor indicarnos cuales son los certificados que tenemos que instalar en ambos dispositivos para que puedan validarse o si tienes algún procedimiento para hacerlo.

Gracias,

Saludos.

Jaime Valencia
Hall of Fame Cisco Employee

El procedimiento es a grandes rasgos el mismo, los EXPs solo usan un certificado que debe tener client/server authentication. Del lado de CUCM sube Tomcat y IPsec, y verifica que el root certificate de quien firmo el certificado de CUCM se encuentre en el trust store de EXP-C y viceversa.

audvintech
Beginner

Jaime, 

Tenemos colocados los certificados tal como nos lo indicas, pero aún no podemos conectar al EXP-C con el CUCM. Nos muestra el siguiernte error:

"The Expressway-C cannot verify the self-signed CallManager certificate 'cucm-pub.dominio.local'. The trusted CA list has a matching entry but the Authority Key Identifier does not match that of the host which self-signed the CallManager certificate"

  Saludos, gracias.

Jaime Valencia
Hall of Fame Cisco Employee

El mensaje indica que el certificado que recibe con ese FQDN es un self-signed certificate, no uno firmado por otra entidad, si vas a usar self-signed, tienes que subir el root ca al EXP-C de quien firma el self-signed. Te recomiendo abras un caso con tu partner, o con el TAC para que puedan entrar a tu sistema a ver que error tienes en la configuración.

audvintech
Beginner

Jaime,

Gracias por la recomendación, abriremos el caso.

Saludos.

audvintech
Beginner

Saludos Jaime, gusto en saludarte.

Queria saber si se puede ver el video del seminario que hiciste hoy, referente a las soluciones de Colaboración de Cisco, lamenteblemente no pude conectarme.

Gracias.

Jaime Valencia
Hall of Fame Cisco Employee

La grabación estará disponible en aproximadamente 5 días, se va a postear en la comunidad en español en cuanto este lista.

JustForVoice_2
Enthusiast

Thank you for sharing (+5)

Can we have better quality video? 

Again thank you :)

Jaime Valencia
Hall of Fame Cisco Employee

For some reason, CSC appears to downgrade the quality of the videos, I actually recorded it at 720p, anyway, the ones on YouTube look better

https://www.youtube.com/playlist?list=PLFuOESqSTxEvZChqWgAJanctohRMe99CR

JustForVoice_2
Enthusiast

Thank you for sharing :)

what if I do not want to use MS server and I want to  deploy public digital certificate. 

shall I download the certificates and CSR to them or CSR only?

btw, I posted this post after seeing you video:

https://supportforums.cisco.com/discussion/12879421/jabber-pop-certificate-internal

Jaime Valencia
Hall of Fame Cisco Employee

This video is meant to cover, and provide the basics of how this work, if someone else is signing your CSRs, or you use some other option, like openSSL, you would simply generate the CSR, and have it signed.

Whoever is signing this, should provide you all necessary root/intermediate certs, as well as the server certificate. Most other CA options will honor the specs the CSR has in it, not MS CA, that's why I created the video, and explain the templates.

If you require assistance signing your certs, with some other alternative, I suggest you open a thread on that.

HI Jaime

I have a CUCM 10.5.2 a two Expressways C & E, these are in phase of deployment. I have a doubts with the certs.

If i do CSR to both CUCM and EXPs, with digest algoritm SHA256 and key length 2048, the CA Microsoft of my end customer has to configured to issue these certificates in the same digest algorithm and key length?
In this moment the CA Microsoft of my end customer is configured to issue certs with SHA1 and the key length es 2048.


At this point i did not get a secure connection with my cucm and my Expressways.I suspect that the CA do not issue my certs with correct algorithm.

Excellent Video. Thanks for shared this information.

Regards

Jaime Valencia
Hall of Fame Cisco Employee

SHA1 has been deprecated

https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

You can find a lot more info on that on google.

You don't necessarily need to use the same algorithm, but you certainly cannot be using SHA1 anymore, SHA256 is widely used, but you can use SHA2 as well, assuming you have verified compatibility for everything you'll be using it for.

As for the key length, yes, if the CSR is 2048, the certificate needs to be 2048, the cert template does not necessarily need to be configured for 2048, the field in the template is for minimum lenght.

pmowry
Beginner

Thanks for the detailed video.  But I have a question on what it takes to make new versions of Crome happy with their Certificate Transparency requirements.  What is the best approach to use for a private CA, and would you have a sample template change for a Microsoft CA?

Thank you,

Content for Community-Ad

Spotlight Awards 2021

This widget could not be displayed.