05-09-2016 03:36 AM - edited 03-18-2019 11:59 AM
I have a question,
I have a CUCM application which, I wasn't involved in the build so I`m trying to understand the set up , requests a certificate via the browser when trying to access it so I guess the two options are use the Self-Signed certificate or a company’s CA generated one
Difference
If we use self-signed from the app itself , does that mean that all users need to download it when they wish to access the server ?
CA – Each user already has a cert as part of grp policy so I just need to create a CSR and pass it to the CA to create cert and then upload this to the Server and by default users can access the server since they have a cert as part of the grp policy ?- is this correct ?
what are the steps ?
Self-signed – Each user needs to down load the cert from the CUCM app in their browser before accessing the CUCM server or use the companies root certificate which has been uploaded to the CUCM server and so by default the users do not need to download any cert themselves?
How can you confirm whether the CUCM application only have its self signed or a CA signed
Server concerned- see attached- to me is looks like the certs are self - signed
The certificate on the CUCM cluster is different , on the Cert type , it shows Self-Signed, CA signed
thanks
05-09-2016 04:00 AM
If we use self-signed from the app itself , does that mean that all users need to download it when they wish to access the server ?
Yes you will need to download the cucm self signed certr into your users PC trust store, otherwise each time a user access the CUCM user/web admin page, they will be presented with an un-trusted certificate prompt.
CA – Each user already has a cert as part of grp policy so I just need to create a CSR and pass it to the CA to create cert and then upload this to the Server and by default users can access the server since they have a cert as part of the grp policy ?- is this correct ?
Yes this is correct.
what are the steps ?
The steps are as follows:
1. Generate a tomcat CSR
2. send the CSR to your CA to sign
3. Upload the CA root cert to your tomcat-trust store on CUCM
4. Upload the signed tomcat server cert to your cucm.
Self-signed – Each user needs to down load the cert from the CUCM app in their browser before accessing the CUCM server or use the companies root certificate which has been uploaded to the CUCM server and so by default the users do not need to download any cert themselves?
You might need to do this yourself as an admin. Or write a document informing users on how to do this. This is why its better to use an enterprise CA, since the root CA is already present.
How can you confirm whether the CUCM application only have its self signed or a CA signed
You can easily browse to the cucm web page and check the cert issuer. If the issuer is the CUCM itself, then it is a self signed cert.
05-09-2016 04:50 AM
Thanks for the reply , well worded
Question, The app in question is Finesse if I go down the CA path and upload a CA cert to Finesse is there any other Cisco app I may break so to speak. Finesse is used in a UCCE deployment. When I access Finesse , it references CTI servers as well as HDS by uploading a CA cert on Finesse only would I need to upload the same CA else where?
05-09-2016 05:16 AM
Good question. I dont know enough about finesse to answer that question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide