Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage certificates in Unified Communications Manager with Cisco expert Vasanth Kumar.
Ask questions from Tuesday February 8 to Friday February 19, 2016
Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.
This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.
Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India. He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.
Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
To configure the CUCM for secure RTP you have to follow these steps
Now apply the configured file to the phone
To test if the RTP is secure, apply secure profile to the 2 phones and make a call between them and once connected you will see lock sign next to timer
It could happen because of two potential issues:
1. Either a new CSR was regenerated after submitting a old CSR. This would regenerate the Public(CSR)/Private key and hence the certificate which you got from CA does not contain the new publick key. You would have to submit the CSR again to successfully upload the certificate.
2. It's also possible that the CSR has been modified by CA in a way that it does not contain the same number of SAN(Subject Alternate Names) entries, this would also result in failure to upload. The fix would be to not add any additional SAN to CSR when submitting to a CA.
Please if someone can answer this.
MSE is appearing as offline/ Unreachable from Prime Infrastructure
we need to put user/ pass again in prime for MSE and it again start appearing reachable.
MSE running on Version 188.8.131.52
Prime Infrastructure running on 2.0
Please reach out to the right forum (Cisco Prime or MSE) to get your query answered.
This session is focussing on UCM Certificate Management and queries related to that.
Can we say every time we press Generate CSR, it means the CUCM will generate new Public/Private keys and then all old certificates are invalid and we have to add new certificates?
Yes, every time you Generate CSR the keys will change. By default the cucm will take the latest keys and will try to match with those when upload.
But in this case how CUCM will encrypt and decrypt if the keys are changed?
I will just try to clarify my question.
Jabber client download the certificate from CUCM. In this case jabber will use CUCM's Public key to encrypt the traffic with CUCM.
If I create new CSR (new Public and Private keys) then how the CUCM will decrypt the traffic coming from Jabber? I suppose Jabber will use the old certificate (Public Key) to encrypt.
Once the signed certs are uploaded CUCM uses those for all the HTTP communication and will continue to use those irrespective of the generate new CSR button has been clicked.
but now if you give your old csr and ask the CA to sign the cert that cert will not be valid.
The encryption and decryption is only for the HTTP traffice that when open the user page you dont get those warnings or when you use it with the JABBER the signed certs will not give you pop up to accept the certs etc.
CUCM is little intelligent that he know that he has just pressed the generate new CSR button but not uploaded the cert, so I will continue to use the old certs and keys for my functionalities till he uploads the new cert
If the CSR is not signed in the first case then, moment you generate new CSR jaber will download that again and will prompt you for the new CERT validity
but if the cert is signed it continue using the old keys and signed cert to encrypt and decrypt
Just to add what ever is already signed and uploaded will not be affected if you press generate CSR button after that
The exsisting Public/Private key pair is not broken of the server when a new CSR is generated.
So there is no harm in generating a CSR unless the CA signed CER is uploaded for the matching CSR.
Are there any tech notes or documents stating what certificates automatically forces cluster wide phone reboots when changed?
The CUCM documentation just says that replacing a certificate MAY cause devices to reboot. My anecdotal evidence suggests it's when some certs on TFTP servers are replaced.