Solved: Thank you again for your - Page 3

Monica Lluis · ‎02-08-2016

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage certificates in Unified Communications Manager with Cisco expert Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.

Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India. He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

vasank · ‎02-11-2016

There are no disadvantages if you are adding server certificate please ensure the corresponding service is restarted for the new certificate to take effect. The CA certificate when uploaded to one of the node in cluster get's replicated to all nodes and hence there is no need to upload certificates which are added as tomcat-trust and xmpp-trust.

You can also refer to the following tech-note which exactly addresses your scenario:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

Thanks,

Vasanth

JustForVoice_2 · ‎02-11-2016

Thank you for sharing this document.

Do I need to send other information in addition to CSR to CA to get public sign certificate?

I'm not sure but, I think if the setting in CUCM do not match other settings like Organization, Organizational Unit (OU), then the certificate will not work?

vasank · ‎02-11-2016

The CSR generated by UCM contains information such as your organization name, common name (domain name), locality, and country.

Please ensure the CA does not change any information presented in CSR.

Administratore who will generate the certificate after the CSR is submitted also need to ensure that for tomcat following Extension usage are made available (They are usually part of certificate issuing template) :

X509v3 extensions:X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

Thanks,

Vasanth

JustForVoice_2 · ‎02-11-2016

In CUCM Certificates we have

tomcat and tomcat-trust. can I know the difference?

vasank · ‎02-11-2016

tomcat is the server certificate and tomcat-trust contains all the certificates which it needs to trust.

So tomcat-trust have

1. server certificate

2. Other node(s) certificates

3. External webserver certificate for any third - party integratoin

Thanks,

Vasanth

JustForVoice_2 · ‎02-12-2016

Thank you again for your support. I read a lot about adding a certificates but I did not implement it till now. However, I tried to collect the steps that I should follow. Could you please review them and tell me if something missed.

1. Download CA Root Certificate from CA server
2. Upload the CA Root Certificate to Unified CM, IM and Presence:
  1. From Cisco Unified OS Administration > Security > Certificate Management > Upload Certificate/Certificate chain > Choose tomcat-trust from the drop down menu. Do NOT choose tomcat > Upload CA root certificate.
  2. Upload the same CA root certificate to cup-xmpp-trust.
3. Generate the CSR for tomcat.
4. Generate the CSR for cup-xmpp
5. Submit tomcat CSR and xmpp CSR to CA.
6. After getting the certificates from CA ( I should have two certificates) upload:
  1. CA Signed Tomcat to CUCM. Set the Certificate Purpose value to tomcat (NOT tomcat-trust).
  2. CA signed XMPP to CUCM. Set the Certificate Purpose value to cup-xmpp
7. Restart:
  1. Tomcat service
  2. XCP router
8. Deactivate and activate Cisco TFTP service.

vasank · ‎02-12-2016

In step 6.2 Upload CA signed XMPP to IMP server with cup-xmpp as certificate purpose.

You need not deactivate and activate TFTP server.

Thanks,

Vasanth

JustForVoice_2 · ‎02-12-2016

For step 6.2 even if I'm using CUCM 10 and later? as you know they are now one cluster managed by one CUCM publisher.

vasank · ‎02-12-2016

Altough IMP service profile is configured on UCM, they have different certificate store.You would have to login to IMP where the CSR was generated and upload the certificate.

Thanks,

Vasanth

JustForVoice_2 · ‎02-12-2016

Thank you for :)

JustForVoice_2 · ‎02-14-2016

Is it possible to have more than One Root CA certificates on the cluster?

vasank · ‎02-14-2016

Hi,

Yes you can have more than one Root CA certificate .

Thank you!

Vasanth

Finnur Eiriksson · ‎02-15-2016

Hello

Are there any plans to allow wildcard certificates for any of the services, at least tomcat?

Is it possible to use same certificate for multiple services on same server?

Thanks,

Finnur

vasank · ‎02-15-2016

Hi Finnur

There are no plan of supporting wildcard certificates including tomcat. However You can use Multi-Server SAN certificate which fetches all the hostname of servers within the cluster and generates a CSR with multiple Subject Alternate Name(s) and this can be sent to CA and used across the cluster.

Thanks,

Vasanth

Mikael Hansson · ‎02-16-2016

Hi Vasanth,

There is a problem today with Jabber that it needs both Tomcat and Cup-xmpp certificate. (and Callmanager if we would like to secure the RTP)

I get often questions from customers on why we need several Certificates with the same name.

Since we have the Multi-server SAN Certificate it would be much simpler and cheaper if we could use ONE Certficate for at least the services (Tomcat, Cup-xmpp, Callmanager) that the Jabber-clients use.

Do you think Cisco will alter this behavior of the CUCM in future releases or are we stuck to have one certficate per service ?

thanks

Mikael Hansson

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)