cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11080
Views
290
Helpful
60
Replies

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)

Monica Lluis
Level 9
Level 9

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage  certificates in Unified Communications Manager with Cisco expert  Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.

  

Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India.  He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar  holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
60 Replies 60

There are no disadvantages if you are adding server certificate please ensure the corresponding service is restarted for the new certificate to take effect. The CA certificate when uploaded to one of the node in cluster get's replicated to all nodes and hence there is no need to upload certificates which are added as tomcat-trust and xmpp-trust.

You can also refer to the following tech-note which exactly addresses your scenario:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

Thanks,

Vasanth

Thank you for sharing this document. 

Do I need to send other information in addition to CSR to CA to get public sign certificate?

I'm not sure but, I think if the setting in CUCM do not match other settings like Organization, Organizational Unit (OU), then the certificate will not work?

The CSR generated by UCM contains information such as your organization name, common name (domain name), locality, and country.

Please ensure the CA does not change any information presented in CSR.

Administratore who will generate the certificate after the CSR is submitted also need to ensure that for tomcat following Extension usage are made available (They are usually part of certificate issuing template) :

X509v3 extensions:X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

Thanks,

Vasanth

JustForVoice_2
Level 4
Level 4

In CUCM Certificates we have 

tomcat and tomcat-trust. can I know the difference?

tomcat is the server certificate and tomcat-trust contains all the certificates which it needs to trust.

So tomcat-trust  have

1. server certificate

2. Other node(s) certificates

3. External webserver certificate for any third - party integratoin

Thanks,

Vasanth

JustForVoice_2
Level 4
Level 4

Thank you again for your support. I read a lot about adding a certificates but I did not implement it till now. However, I tried to collect the steps that I should follow. Could you please review them and tell me if something missed.

    1. Download CA Root Certificate from CA server
    2. Upload the CA Root Certificate to Unified CM, IM and Presence:
      1. From Cisco Unified OS Administration > Security > Certificate Management > Upload Certificate/Certificate chain > Choose tomcat-trust from the drop down menu. Do NOT choose tomcat > Upload CA root certificate.
      2. Upload the same CA root certificate to cup-xmpp-trust.
    3. Generate the CSR for tomcat.
    4. Generate the CSR for cup-xmpp
    5. Submit tomcat CSR and xmpp CSR to CA.
    6. After getting the certificates from CA ( I should have two certificates) upload:
      1. CA Signed Tomcat to CUCM. Set the Certificate Purpose value to tomcat (NOT tomcat-trust).
      2. CA signed XMPP to CUCM. Set the Certificate Purpose value to cup-xmpp
    7. Restart:
      1. Tomcat service
      2. XCP router
    8. Deactivate and activate Cisco TFTP service.

In step 6.2 Upload CA signed XMPP to IMP server with cup-xmpp as certificate purpose.

You need not deactivate and activate TFTP server.

Thanks,

Vasanth

For step 6.2 even if I'm using CUCM 10 and later? as you know they are now one cluster managed by one CUCM publisher.

Altough IMP service profile is configured on UCM, they have different certificate store.You would have to login to IMP where the CSR was generated and upload the certificate.

Thanks,

Vasanth

Thank you for :)

JustForVoice_2
Level 4
Level 4

Is it possible to have more than One Root CA certificates on the cluster?

Hi,

Yes you can have more than one Root CA certificate .

Thank you!

Vasanth

Hello

Are there any plans to allow wildcard certificates for any of the services, at least tomcat?

Is it possible to use same certificate for multiple services on same server?

Thanks,

Finnur

Hi Finnur

There are no plan of supporting wildcard certificates including tomcat.  However You can use Multi-Server SAN certificate which fetches all the hostname of servers within the cluster and generates a CSR with multiple Subject Alternate Name(s) and this can be sent to CA and used across the cluster.

Thanks,

Vasanth

Hi Vasanth,

There is a problem today with Jabber that it needs both Tomcat and Cup-xmpp certificate. (and Callmanager if we would like to secure the RTP)

I get often questions from customers on why we need several Certificates with the same name.

Since we have the Multi-server SAN Certificate it would be much simpler and cheaper if we could use ONE Certficate for at least the services (Tomcat, Cup-xmpp, Callmanager) that the Jabber-clients use.

Do you think Cisco will alter this behavior of the CUCM in future releases or are we stuck to have one certficate per service ?

thanks

Mikael Hansson