cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1643
Views
0
Helpful
23
Replies
Highlighted
Enthusiast

CUCM 10.5 and CSR (security cert)

When I click on Callamanger and select Generate CRS, there is a field in the popup called Domain name which shows the companyname.com.

In 10.5, I was told that this is required.  Anyone cares to explain in more details?

 

Also, I noticed that there is callmanager and there is also tomcat from Certificate Management.  I select callmanager and use that to generate CSR and I submit it to a 3rd party CA. If I repeat the same process but this time selecting tomcat, the 3rd party CA will complain of a duplicate.  Ideas?  or callmanager alone is good?

 

My goal is to encrypt calls

4 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Advocate

Tomcat is for Webservice

Tomcat is for Webservice communication. That includes AXL calls and admin webpages.

CallManager is for phone registration, however there is a bug in CallManager Multiserver certificate which causes phones to reset randomly. Is there a reason why you need to have the CallManager server signed by a 3rd party CA? You could use an internal CA or USB tokens to sign it.

Please rate useful posts.

View solution in original post

Highlighted
Advocate

Correct, you will have to

Correct, you will have to upload the root and intermediate certificate that you receive from Verisign to callmanager-trust first else it will give you an error.

Also, there is a bug in 10.5 that causes phones to reboot if you sign the Callmanager cert. CSCup28852

Please rate useful posts.

View solution in original post

Highlighted
Advocate

1) The process that I

1) The process that I mentioned above is for extracting the root/intermediate certs that you need.

2) What format is the certificate in? ie. what extension does the file have?

Please rate useful posts.

View solution in original post

Highlighted
Advocate

Can you send me the cert

Can you send me the cert somehow? Fileshare or PM me via the community?

Please rate useful posts.

View solution in original post

23 REPLIES 23
Highlighted
Advocate

Tomcat is for Webservice

Tomcat is for Webservice communication. That includes AXL calls and admin webpages.

CallManager is for phone registration, however there is a bug in CallManager Multiserver certificate which causes phones to reset randomly. Is there a reason why you need to have the CallManager server signed by a 3rd party CA? You could use an internal CA or USB tokens to sign it.

Please rate useful posts.

View solution in original post

Highlighted
Enthusiast

Its a requirement by the

Its a requirement by the company.

So, if I download the CSR for callmanager and submit it to verisign, I will need to upload it and when  i upload it, do I select callmanager again or callmanager-trust.

 

Can I use that same cert to upload it for tomcat-trust or do I use tomcat?

 

Thanks 

 

 

Highlighted
Advocate

If you select a CSR for

If you select a CSR for tomcat or CallManager, then the signed certificate will be uploaded to the same location. The signed certificate will have a root and potentially intermediate certs. These certs will be uploaded to the appropriate xxx-trust locations. 

Please rate useful posts.
Highlighted
Enthusiast

So, just to confirm, when I

So, just to confirm, when I downloaded the CSR, I choose callmanager, send it to Verisign, then upload the file I received also by selecting callmanager and thats it?  thanks

 

by the way, when I dowloaded the CSR, its a multi-server csr

Highlighted
Advocate

Correct, you will have to

Correct, you will have to upload the root and intermediate certificate that you receive from Verisign to callmanager-trust first else it will give you an error.

Also, there is a bug in 10.5 that causes phones to reboot if you sign the Callmanager cert. CSCup28852

Please rate useful posts.

View solution in original post

Highlighted
Enthusiast

Thanks George. I will take a

Thanks George. I will take a look at this bug.

 

I only received one file from Verisign though, so what do I do with the intermediate file you mentioned?  thanks

Highlighted
Enthusiast

When I uploaded the cert I

When I uploaded the cert I got from verisign, I selected "calmanager" and when I click ok, it gave me an error about something not found in store.  When i change the selection to "callmanager-trust", the cert uploaded ok.

 

Did I do something wrong?

Highlighted
Advocate

Thats what I mentioned

Thats what I mentioned earlier, you will have to upload the root and intermediate certificate first to callmanager-trust before you upload the signed certificate.

To get root/intermediate cert. open the certificate, navigate to the certification path and you will see a hierarchy similar to the attachment. Click on the top most certificate  and click View certificate. In the new pop-up, navigate to details and click on COpy to file. Click next on the wizard that opens, on the 2nd page select the base-64 encoded option and go through the wizard. In the 3rd window, you will be able to select an option to save the certificate and this will be your root certificate. Repeat this process for the intermediate certificate, ie the 2nd cert in the hierarchy. Once you have both the files, upload the root certificate to the callmanager-trust first and then upload the intermediate certificate. Once thats done, upload the signed certificate to the callmanager location. 

At this point, your phones should start rebooting due to the bug i mentioned above. LOL.

 

Please rate useful posts.
Highlighted
Enthusiast

lol....so this is where my

lol....so this is where my head spin.

1) what exactly do you mean by "upload the root and intermediate cert to call-manager-trust" before I upload my signed cert.  I only have one file that came from verisign.  The only other file I have is the call-manager csr I downloaded

 

2) you said navigate to the certification path..where?  in the PC I am using to browse to the CUCM?

 

I want my phones to start randomly rebooting... so please help me :)

Highlighted
Advocate

1) The process that I

1) The process that I mentioned above is for extracting the root/intermediate certs that you need.

2) What format is the certificate in? ie. what extension does the file have?

Please rate useful posts.

View solution in original post

Highlighted
Enthusiast

The signed cert from verisign

The signed cert from verisign is .CER

The callmanager file I downloaded that I sent to Verisign is CSR

Highlighted
Enthusiast

This is what I got...how do I

This is what I got...how do I fix this?

Highlighted
Advocate

This is callmanager self

This is callmanager self signed certificate, I was referring to the cert that Verisign sent you.

Please rate useful posts.
Highlighted
Enthusiast

The file Verisgn sent me is a

The file Verisgn sent me is a .CER file

I uploaded it earlier to the CUCM and selected callmanager-trust then rebooted the server then enabled mixed mode

 

What am I missing?  tnx

CreatePlease to create content
Content for Community-Ad
Future of Work Virtual Summit Day 5

Cisco COVID-19 Survey