Re: Certificates CUCM, IMP & CUC version 11 installation?

Hamad ghathber · ‎07-04-2018

Hello

We have issue with certificates in CUCM, IMP & CUC.

We have 3 CUCM Servers: 1 Pub, 2 SUB and 2 IMP, version 11

Also, we have 2 CUC Servers, version 11

We are using CA (internal windows server)

Question 1: what is the impact if the certificates expired?

Question 2: what is the certificates needed between CUCM & CUC?

For CUCM:

callmanger

callmanger-trust

callmanger-ECDSA

tomcat

tomcat-trust

TVS

The above certificates are going to expired soon.

What is the different of the above certificates and usage?

For CUC:

callmanger & tomcat are already expired.

How to regenerate the certificates ?

Is there any dependencies?

Thanks in advance

Chris Deren · ‎07-04-2018

Have you read this:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151.html

Dont let your certs expire, are all of the certs you listed signed by CA or are some self signed as typically only Tomcat, and possibly CallManager certs on CUCM get signed by external CA. For IMP XMPP would be another one.

For CUC to UCM connectivity the only reason to exchange certs would be if you are doing encryption to voicemail or if you are using PIN sync between the apps (available in 11.5+).

Jaime Valencia · ‎07-04-2018

Read this

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1_SU3/cucm_b_security-guide-1151su3/cucm_b_security-guide-1151su3_chapter_01.html#CUCM_RF_S85BF603_00

https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

There is no certificate that is needed by default for CUCM and CUC to work, you'd need to explain exactly how you have them integration and/or what features you have that might have required a certificate exchange.

HTH

java

if this helps, please rate

Hamad ghathber · ‎07-15-2018

Thanks for your reply

I am sorry , I am little bit confused.

My question is :

once i generate CSR (for any cert such as TVS) then send it to CA to sign it, How many signed certificates i must received to upload to CUCM?

Quiestion 2:

which certificates should uploaded as (TVS)? or (TVS-trust) ?

This is consider as identity certificates?

Thanks again

Chris Deren · ‎07-15-2018

once i generate CSR (for any cert such as TVS) then send it to CA to sign it, How many signed certificates i must received to upload to CUCM?

>> You can get a signed cert for each type of cert, i.e. tomcat, call manager, TVS, IPSec, etc. Some can be signed by CA, others can be left as self signed based on your requirements. You can either generate CSR on each node, or if you are on relatively new CUCM (10.5+ I believe) you can get multi-san CSR that addresses all nodes with single SAN cert.

Quiestion 2:

which certificates should uploaded as (TVS)? or (TVS-trust) ?

Signed cert goes into TVS/tomcat/etc, root and intermediate certs need to be uploaded into -trust stores.