cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11074
Views
290
Helpful
60
Replies

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)

Monica Lluis
Level 9
Level 9

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage  certificates in Unified Communications Manager with Cisco expert  Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.

  

Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India.  He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar  holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
60 Replies 60

Hi Mikael

The UC architecture is designed such a way that each service has it's own server role certificate and trust store.

It has it's own benefits for example:

if private key of tomcat is exposed will not impact your secure call control services or Jabber messaging.

Let's say if private key of certain service is corrupt you would only be generating a certificate for that service avoiding impact to other services.

From administrative perspective there is a need to manage and maintain certificate for each service but it helps keep the environment secure and offers minimal impact to service and also provides ease of troubleshooting.

With Multi-Server SAN the number of certificates required for a cluster is significantly reduce to 1 per service in UCM + IMP cluster.

1 - Tomcat
1- cup-xmpp
1 - callmanager+tftp

HTH.


Thanks,
Vasanth

ESCAP NTU
Level 1
Level 1

Hi Vasanth,

What is the consequence of changing  domain in CUCM publisher server in perspective of security certificate.

Currently we have cucm01. xxx.org, we want to change to cucm01.xxx.yy.org

Can you advise the right approach and steps to achieved this.

P.S. We have 2 CUCM servers and 2 of IMP servers  all in version 11.

Thanks & Regards,

Natt

Hi Natt

If you are changing the domain name of Publisher, the certficiates will be regnerated and once the server is rebooted the phone will go through a quick restart (to refresh ITL entries).

If the cluster is secure you would have to run the ctl update (via CLI utils ctl update CTLFile) if CTL plugin was used you need to run through the wizard and push the update CTL File to Publisher.

Thanks,

Vasanth

JustForVoice_2
Level 4
Level 4

I have tried to add a certificate to Expressway and I got the following error:

Expressway Invalid certificate: The file provided does not have a server usage attribute

Any help

Can you please share the certificate details if you have openssl installed in your machine you can just paste the output of :

openssl x509 -in CallManager.pem -text -noout

Otherwise please upload the certificate .

Thanks,

Vasanth

The certificate is related to Expressway not CUCM.

In general a certificate contains some information like:

Certificate Information:
Common Name:
Organization Unit:
Locality:
State:
Country:
Valid From:
Valid To:
Issuer:
Serial Number:

Do I need to configure these parameters?

The following fields are generally populated by the server VCS/CUCM/IMP.

Certificate Information:
Common Name:
Organization Unit:
Locality:
State:
Country:

The CA populates:

Valid From:
Valid To:
Issuer:

What I'm intrested in looking at is (based on certificate template configured on CA):

Key Usage:

Extendeded Key Usage:

You can replace the CallManager.pem with any certificate file you would like to read.

Thanks,

Vasanth

I was not able to run the command that you post. However, I tried to use a web site to decode the certificate and I found the following:

X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                C8:10:F6:B2:11:F6:53:69:57:62:73:D7:30:8D:B2:A9:75:C9:33:B7
            X509v3 Authority Key Identifier: 
                keyid:06:3A:0A:4C:38:B2:C0:78:AD:C9:6E:FA:D4:2C:BC:AB:C3:AA:E1:B5

and 

X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption

For expressway you would need

  1. extendedKeyUsage=serverAuth, clientAuth

This is documented in the VCS Certification Creation Guide and Deployment Guide.

CA to which the VCS CSR is being submitted should make sure the following key usage are available for the certificate that is being issued.

Thanks

Vasanth

Thank you for your support.

As per my understanding, I have to regenerate the CSR. but I could not understand what is the problem with my old CSR. 

Could you please add more details?

Thanks : )

You don't need to regenerate CSR, please ask your CA authority to issue certificate for the CSR that you have submitted with the above Extended Key Usage.

Which will give you a valid certificate.

Thanks,

Vasanth

I will ask, Thank you for your support :)

JustForVoice_2
Level 4
Level 4

In case I have to access CUCM from 2 different PCs. each one trust different CA> Like I have two different windows domains and each domain has its own CA. In this case, I have to install the root CA for each CA in CUCM, then generate a tomcat certificate from each CA and finally, install the 2 certificates in my CUCM.

Am I right?

Maxim Abramov
Level 1
Level 1

Hello Vasanth,

I have just installed CUCM, IMP and UNITY for customer and about to generate CSR for them. They are using Public CA.

Am I correct in assumption, that I need only one tomcat (SAN) CSR from CUCM OS Admin page, one cup-xmpp (SAN) CSR from IMP OS Admin page and one tomcat (SAN) CSR from UNITY OS Admin page in order to stop Jabber client showing certificate warnings during login ?

Regards,

Maxim