cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1815
Views
0
Helpful
4
Replies

Installing CA certificate for HTTPS phone services

nathanielmanzi
Level 1
Level 1

Hi all,

We have a custom internal directory service published to the phones in our org. On phones that default to use HTTPS URLs, we have enabled SSL on the server hosting the directory service and put the HTTPS URL in our Enterprise Parameters. The phone reports Host Not Found when the user presses the 'Directories' button on the phone.

When using the built-in (Corporate Directory) HTTPS directory service URL it works fine, so it appears it's because the SSL certificate on the server hosting our custom directory service isn't trusted by the phones/CUCM.

My question is, how does one install a Root CA certificate for use by the phones in accessing phone services secured by HTTPS?

Many thanks.

2 Accepted Solutions

Accepted Solutions

Akhil Behl
Level 1
Level 1

Hi Nathaniel,

Have you already enrolled CUCM with the internal CA for Tomcat certificates? The Phone leverages SSL connection with CUCM to retrieve the URLs when set to HTTPS. So, unless you have CUCM running with root CA and SSL (identity) certificate from the CA server, HTTPS will not work properly.

Also, do ensure that the if URLs are working on name absis, you have DNS enabled for CUCM and Phones.

See chapter 9 from 'Securing Cisco IP Telephony Networks' for more information on enrolling CUCM with external CA for Tomcat and other entities (e.g. CAPF).



Akhil Behl
Senior Network Consultant
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

View solution in original post

Joseph Martini
Cisco Employee
Cisco Employee

The certificate used on the external server has to be uploaded to CUCM under the OS Administration page > Security > Certificate Management.  Upload it as a "Tomcat-Trust" and then restart tomcat  (utils service restart Cisco Tomcat).  That should allow the phones to trust the external SSL certificate.  Note that if you have a certificate change (root and intermediate or root and identity, both have to be uploaded to CUCM as a tomcat-trust).

View solution in original post

4 Replies 4

Akhil Behl
Level 1
Level 1

Hi Nathaniel,

Have you already enrolled CUCM with the internal CA for Tomcat certificates? The Phone leverages SSL connection with CUCM to retrieve the URLs when set to HTTPS. So, unless you have CUCM running with root CA and SSL (identity) certificate from the CA server, HTTPS will not work properly.

Also, do ensure that the if URLs are working on name absis, you have DNS enabled for CUCM and Phones.

See chapter 9 from 'Securing Cisco IP Telephony Networks' for more information on enrolling CUCM with external CA for Tomcat and other entities (e.g. CAPF).



Akhil Behl
Senior Network Consultant
akbehl@cisco.com

Author of “Securing Cisco IP Telephony Networks”
www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Thanks for the reply. I have not yet generated a certificate for CUCM on our internal CA, but this has prompted me to do so.

Joseph Martini
Cisco Employee
Cisco Employee

The certificate used on the external server has to be uploaded to CUCM under the OS Administration page > Security > Certificate Management.  Upload it as a "Tomcat-Trust" and then restart tomcat  (utils service restart Cisco Tomcat).  That should allow the phones to trust the external SSL certificate.  Note that if you have a certificate change (root and intermediate or root and identity, both have to be uploaded to CUCM as a tomcat-trust).

Thanks for this Joe, I was adding the CA certificate to the phone-trust chain. I didn't think to add it to tomcat-trust.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: