Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9571
Views
290
Helpful
60
Replies

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)

Go to solution
Monica Lluis
Level 9
Level 9

‎02-08-2016 09:40 AM - edited ‎03-18-2019 11:48 AM

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage  certificates in Unified Communications Manager with Cisco expert  Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.

  

Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India.  He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar  holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gursimrat Pal Singh Khaira
Level 1
Level 1
In response to John Ventura

‎02-10-2016 10:01 AM

To configure the CUCM for secure RTP you have to follow these steps

  1. Run this command on CUCM Publisher by SSH to OS Admin “utils ctl set-cluster mixed-mode”
  2. Please restart all CUCM servers in the cluster.
  3. Please go to the system>>>> Phone Security >>>> Find the phone model you want to secure
  4. Copy the default non secure profile.
  5. Change the name to secure profile
  6. Change the Device Security Mode to Encrypted
  7. Check the box which says TFTP Encrypted Config
  8. Select the Authenticated mode to “by Existing certificate (Precedence to LSC) recommended by cisco.
  9. Set the encryption bit to 2048

 

Now apply the configured file to the phone

  1. Select the phone where you want to apply this profile
  2. On the phone page select Device Security Profile as secure profile
  3. In Certification Authority Proxy Function (CAPF) Information select “Certificate Operation” as Install and upgrade
  4. Save and reset the phone.
  5. Phone will restart for 4-5 times to download the certificate and encrypted configuration.

 

To test if the RTP is secure, apply secure profile to the 2 phones and make a call between them and once connected you will see lock sign next to timer

View solution in original post

60 Replies 60

Go to solution
Jackson Braddock
Level 1
Level 1

‎02-08-2016 12:18 PM

Hi Vasanth,

I'm unable to upload CA signed certificate which I got after submitting the CSR generated by UCM, what could be the issue?

Jackson

0 Helpful

Go to solution
vasank
Cisco Employee
Cisco Employee
In response to Jackson Braddock

‎02-08-2016 06:23 PM

Hi Jackson,

It could happen because of two potential issues:

1. Either a new CSR was regenerated after submitting a old CSR. This would regenerate the Public(CSR)/Private key and hence the certificate which you got from CA does not contain the new publick key. You would have to submit the CSR again to successfully upload the certificate.

2. It's also possible that the CSR has been modified by CA in a way that it does not contain the same number of SAN(Subject Alternate Names) entries, this would also result in failure to upload. The fix would be to not add any additional SAN to CSR when submitting to a CA.

Thanks,

Vasanth

0 Helpful

Go to solution
binny4uv0
Level 1
Level 1
In response to vasank

‎02-10-2016 01:09 AM

Hi Team,

Please if someone can answer this.

MSE is appearing as offline/ Unreachable from Prime Infrastructure 

we need to put user/ pass again in prime for MSE and it again start appearing reachable.

MSE running on Version 8.0.110.0

Prime Infrastructure running on 2.0

With Regards

Binish

0 Helpful

Go to solution
vasank
Cisco Employee
Cisco Employee
In response to binny4uv0

‎02-10-2016 03:25 AM

Hi Binish,

Please reach out to the right forum (Cisco Prime or MSE) to get your query answered.

This session is focussing on UCM Certificate Management and queries related to that.

Thanks,

Vasanth

0 Helpful

Go to solution
JustForVoice_2
Level 4
Level 4
In response to vasank

‎02-11-2016 11:16 AM

Hello,

Can we say every time we press Generate CSR, it means the CUCM will generate new Public/Private keys and then all old certificates are invalid and we have to add new certificates?

0 Helpful

Go to solution
Gursimrat Pal Singh Khaira
Level 1
Level 1
In response to JustForVoice_2

‎02-11-2016 12:43 PM

Yes, every time you Generate CSR the keys will change. By default the cucm will take the latest keys and will try to match with those when upload.

Go to solution
JustForVoice_2
Level 4
Level 4
In response to Gursimrat Pal Singh Khaira

‎02-11-2016 12:56 PM

But in this case how CUCM will encrypt and decrypt if the keys are changed?

I will just try to clarify my question. 

Jabber client download the certificate from CUCM. In this case jabber will use CUCM's Public key to encrypt the traffic with CUCM.

If I create new CSR (new Public and Private keys) then how the CUCM will decrypt the traffic coming from Jabber? I suppose Jabber will use the old certificate (Public Key) to encrypt.

0 Helpful

Go to solution
Gursimrat Pal Singh Khaira
Level 1
Level 1
In response to JustForVoice_2

‎02-11-2016 12:59 PM

Once the signed certs are uploaded CUCM uses those for all the HTTP communication and will continue to use those irrespective of the generate new CSR button has been clicked.

but now if you give your old csr and ask the CA to sign the cert that cert will not be valid.

The encryption and decryption is only for the HTTP traffice that when open the user page you dont get those warnings or when you use it with the JABBER the signed certs will not give you pop up to accept the certs etc.

CUCM is little intelligent that he know that he has just pressed the generate new CSR button but not uploaded the cert, so I will continue to use the old certs and keys for my functionalities till he uploads the new cert

Go to solution
Gursimrat Pal Singh Khaira
Level 1
Level 1
In response to JustForVoice_2

‎02-11-2016 01:05 PM

If the CSR is not signed in the first case then, moment you generate new CSR jaber will download that again and will prompt you for the new CERT validity 

but if the cert is signed it continue using the old keys and signed cert to encrypt and decrypt

0 Helpful

Go to solution
Gursimrat Pal Singh Khaira
Level 1
Level 1
In response to JustForVoice_2

‎02-11-2016 12:45 PM

Just to add what ever is already signed and uploaded will not be affected if you press generate CSR button after that

Go to solution
vasank
Cisco Employee
Cisco Employee
In response to JustForVoice_2

‎02-11-2016 01:25 PM

[correction]

The exsisting Public/Private key pair is not broken of the server when a new CSR is generated.

So there is no harm in generating a CSR unless the CA signed CER is uploaded for the matching CSR.

Thanks,

Vasanth

Go to solution
JustForVoice_2
Level 4
Level 4
In response to vasank

‎02-11-2016 01:25 PM

Thank you for your clarification. So, it's much better to avoid pressing Generate CSR after getting a signed certificate.

0 Helpful

Go to solution
Gordon Ross
Level 9
Level 9

‎02-09-2016 12:23 AM

Are there any tech notes or documents stating what certificates automatically forces cluster wide phone reboots when changed?

The CUCM documentation just says that replacing a certificate MAY cause devices to reboot. My anecdotal evidence suggests it's when some certs on TFTP servers are replaced.

GTG

Please rate all helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents