Solved: I was not able to run the - Page 4

Monica Lluis · ‎02-08-2016

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage certificates in Unified Communications Manager with Cisco expert Vasanth Kumar.

Ask questions from Tuesday February 8 to Friday February 19, 2016

Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.

This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.

Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India. He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.

Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

vasank · ‎02-16-2016

Hi Mikael

The UC architecture is designed such a way that each service has it's own server role certificate and trust store.

It has it's own benefits for example:

if private key of tomcat is exposed will not impact your secure call control services or Jabber messaging.

Let's say if private key of certain service is corrupt you would only be generating a certificate for that service avoiding impact to other services.

From administrative perspective there is a need to manage and maintain certificate for each service but it helps keep the environment secure and offers minimal impact to service and also provides ease of troubleshooting.

With Multi-Server SAN the number of certificates required for a cluster is significantly reduce to 1 per service in UCM + IMP cluster.

1 - Tomcat
1- cup-xmpp
1 - callmanager+tftp

HTH.

Thanks,
Vasanth

ESCAP NTU · ‎02-17-2016

Hi Vasanth,

What is the consequence of changing domain in CUCM publisher server in perspective of security certificate.

Currently we have cucm01. xxx.org, we want to change to cucm01.xxx.yy.org

Can you advise the right approach and steps to achieved this.

P.S. We have 2 CUCM servers and 2 of IMP servers all in version 11.

Thanks & Regards,

Natt

vasank · ‎02-18-2016

Hi Natt

If you are changing the domain name of Publisher, the certficiates will be regnerated and once the server is rebooted the phone will go through a quick restart (to refresh ITL entries).

If the cluster is secure you would have to run the ctl update (via CLI utils ctl update CTLFile) if CTL plugin was used you need to run through the wizard and push the update CTL File to Publisher.

Thanks,

Vasanth

JustForVoice_2 · ‎02-18-2016

I have tried to add a certificate to Expressway and I got the following error:

Expressway Invalid certificate: The file provided does not have a server usage attribute

Any help

vasank · ‎02-18-2016

Can you please share the certificate details if you have openssl installed in your machine you can just paste the output of :

openssl x509 -in CallManager.pem -text -noout

Otherwise please upload the certificate .

Thanks,

Vasanth

JustForVoice_2 · ‎02-18-2016

The certificate is related to Expressway not CUCM.

JustForVoice_2 · ‎02-18-2016

In general a certificate contains some information like:

Certificate Information:
Common Name:
Organization Unit:
Locality:
State:
Country:
Valid From:
Valid To:
Issuer:
Serial Number:

Do I need to configure these parameters?

vasank · ‎02-18-2016

The following fields are generally populated by the server VCS/CUCM/IMP.

Certificate Information:
Common Name:
Organization Unit:
Locality:
State:
Country:

The CA populates:

Valid From:
Valid To:
Issuer:

What I'm intrested in looking at is (based on certificate template configured on CA):

Key Usage:

Extendeded Key Usage:

You can replace the CallManager.pem with any certificate file you would like to read.

Thanks,

Vasanth

JustForVoice_2 · ‎02-18-2016

I was not able to run the command that you post. However, I tried to use a web site to decode the certificate and I found the following:

X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                C8:10:F6:B2:11:F6:53:69:57:62:73:D7:30:8D:B2:A9:75:C9:33:B7
            X509v3 Authority Key Identifier: 
                keyid:06:3A:0A:4C:38:B2:C0:78:AD:C9:6E:FA:D4:2C:BC:AB:C3:AA:E1:B5

and

X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption

vasank · ‎02-18-2016

For expressway you would need

extendedKeyUsage=serverAuth, clientAuth

This is documented in the VCS Certification Creation Guide and Deployment Guide.

CA to which the VCS CSR is being submitted should make sure the following key usage are available for the certificate that is being issued.

Thanks

Vasanth

JustForVoice_2 · ‎02-18-2016

Thank you for your support.

As per my understanding, I have to regenerate the CSR. but I could not understand what is the problem with my old CSR.

Could you please add more details?

Thanks : )

vasank · ‎02-18-2016

You don't need to regenerate CSR, please ask your CA authority to issue certificate for the CSR that you have submitted with the above Extended Key Usage.

Which will give you a valid certificate.

Thanks,

Vasanth

JustForVoice_2 · ‎02-19-2016

I will ask, Thank you for your support :)

JustForVoice_2 · ‎02-19-2016

In case I have to access CUCM from 2 different PCs. each one trust different CA> Like I have two different windows domains and each domain has its own CA. In this case, I have to install the root CA for each CA in CUCM, then generate a tomcat certificate from each CA and finally, install the 2 certificates in my CUCM.

Am I right?

Maxim Abramov · ‎02-19-2016

Hello Vasanth,

I have just installed CUCM, IMP and UNITY for customer and about to generate CSR for them. They are using Public CA.

Am I correct in assumption, that I need only one tomcat (SAN) CSR from CUCM OS Admin page, one cup-xmpp (SAN) CSR from IMP OS Admin page and one tomcat (SAN) CSR from UNITY OS Admin page in order to stop Jabber client showing certificate warnings during login ?

Regards,

Maxim

Ask the Expert: Certificate Management in Cisco Unified Communications Manager (CUCM)