Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Post a video
27733
Views
55
Helpful
23
Comments

How to sign certificates with a Microsoft CA

Jaime Valencia
Cisco Employee
Cisco Employee
‎10-19-2015 05:11 PM

 

(view in My Videos)

Through this video, I'll show you how to configure a Microsoft CA, running over a Windows 2012 Std server, to sign the tomcat certificate from CUCM.

I will assume you have already configured and installed the CA, if you need assistance on that topic, there's plenty of material on the web, you can use this as a reference:

https://technet.microsoft.com/en-us/library/cc731183.aspx

You might also want to change the validity period for your CA, if you're going to do this, I strongly recommend you do it right after you install your CA

https://support.microsoft.com/en-us/kb/254632

The keys mentioned in the above are still valid in newer releases.

Also, very important, bear in mind SHA1 has been deprecated, when you configure the CA, you should choose other option, I'm using SHA256 in my lab.

If you're going to be doing multi-server certificates and have public CA sign them, review the bugs mentioned in the Cert FAQ below, specially if you're on 10.5(x), as of November of this year, new changes in the procedure require all domains to be signed to be public domains, and the multi-server option will cause an error.

Any questions, comment, etc. you can reach me at javalenc@cisco.com

23 Comments
Jaime Valencia
Cisco Employee
Cisco Employee
‎10-24-2016 10:44 AM
‎10-24-2016 10:44 AM

I have not looked into certificate transparency, I would need to do some research before I could provide an answer, but that would take me some time as right now I have plenty other things that require my attention.

0 Helpful
reza aminzaboli
Level 1
Level 1
‎11-12-2016 06:22 PM
‎11-12-2016 06:22 PM

Hi Jamie, for cucm tomcat service you used webtemplate as a base in the MS CA. how about for the callmanager service or other services requring certs?

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎11-12-2016 07:42 PM
‎11-12-2016 07:42 PM

As I explain here

http://docwiki.cisco.com/wiki/Certificates_FAQ

You usually want to look at the original certs that come self-signed, and try to adjust the template as close as possible to them.

0 Helpful
reza aminzaboli
Level 1
Level 1
‎11-13-2016 04:15 AM
‎11-13-2016 04:15 AM

I appreciate it but my question was do we still use the web template as a base?

0 Helpful
Jaime Valencia
Cisco Employee
Cisco Employee
‎11-13-2016 10:04 AM
‎11-13-2016 10:04 AM

Yes, you can use it. You can use any template you want and modify as required.

0 Helpful
Muzaffar Ahtesham
Level 1
Level 1
‎12-22-2016 07:07 AM
‎12-22-2016 07:07 AM

Excellent article!

Thank you Jaime

Got a question about CSR, when generating CSR I noticed the Certificate in use has CN as IP address of the server. While Common Name field of CSR by default picks up FQDN of the server.

Does it have any impact if I generate CSR with FQDN instead of IP address in the Common Name field of CSR?

0 Helpful
johnk
Level 1
Level 1
‎01-16-2017 07:47 AM
‎01-16-2017 07:47 AM

Nice job Jaime!  This makes this much easier for me!

0 Helpful
fachroky1
Level 1
Level 1
‎03-09-2017 12:03 AM
‎03-09-2017 12:03 AM

hi Jaime,

I have the same problem like “audvintech” in your command, but i clearly dont understand the language.

So do i need the CA certificate that issued by microsoft CA instead of self signed certificate by CUCM ?

thanks, 

Fachroky

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Popular Articles
Customers Also Viewed These Support Documents