01-17-2022 03:34 AM
Hi
We are looking on how to do encryption on both legs of the CUBE
So between CUCM --- CUBE(inside) encryption
And between CUBE(outside)------ encryption
For the inside we want to use a private CA and for the outside a public CA
Is this supported? Or must we use one CA for both legs?
Thanks
JH
01-17-2022 04:35 AM
Hi,
in the SIP-UA configuration, you can control, which trustpoint (in principal which cert/CA) should be used for which remote IP addresses.
But why don't you just use the public for both? You just need to upload the CA, that signed the cert of CUBE, into callmanager-trust.
--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---
01-17-2022 04:47 AM
I'm fairly confident that you can do this, however I have not done so myself. By looking at the command crypto signaling under SIP-UA there is a possibility to define the remote IP for when to use the specific trustpoint. By this it should be possible to achieve what you ask for by what I can read out of the configuration guide lines.
crypto signaling {remote-addr ip address subnet mask| default} [ tls-profile tag | trustpoint trustpoint-name[ client-vtp trustpoint-name| [{ecdsa-cipher [curve-size 384] | strict-cipher}]| cn-san-validate {server [client-vtp trustpoint-name | [{ecdsa-cipher [curve-size 384] | strict-cipher}] }] ! ECDSA ciphers are not supported on TLS version 1.0.
For more details on TLS configuration please see this document. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.html
01-18-2022 02:55 AM
Thank you both!
I believe the easiest way is to sign the CUBE by the external CA (I believe to sign the CUBE is mandatory) and then trust the external CA
Thank you both for your help
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide