09-11-2012 08:54 PM - edited 03-16-2019 01:09 PM
Hi all,
We have a custom internal directory service published to the phones in our org. On phones that default to use HTTPS URLs, we have enabled SSL on the server hosting the directory service and put the HTTPS URL in our Enterprise Parameters. The phone reports Host Not Found when the user presses the 'Directories' button on the phone.
When using the built-in (Corporate Directory) HTTPS directory service URL it works fine, so it appears it's because the SSL certificate on the server hosting our custom directory service isn't trusted by the phones/CUCM.
My question is, how does one install a Root CA certificate for use by the phones in accessing phone services secured by HTTPS?
Many thanks.
Solved! Go to Solution.
09-18-2012 04:00 AM
Hi Nathaniel,
Have you already enrolled CUCM with the internal CA for Tomcat certificates? The Phone leverages SSL connection with CUCM to retrieve the URLs when set to HTTPS. So, unless you have CUCM running with root CA and SSL (identity) certificate from the CA server, HTTPS will not work properly.
Also, do ensure that the if URLs are working on name absis, you have DNS enabled for CUCM and Phones.
See chapter 9 from 'Securing Cisco IP Telephony Networks' for more information on enrolling CUCM with external CA for Tomcat and other entities (e.g. CAPF).
Akhil Behl
Senior Network Consultant
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
www.ciscopress.com/title/1587142953
09-18-2012 04:04 AM
The certificate used on the external server has to be uploaded to CUCM under the OS Administration page > Security > Certificate Management. Upload it as a "Tomcat-Trust" and then restart tomcat (utils service restart Cisco Tomcat). That should allow the phones to trust the external SSL certificate. Note that if you have a certificate change (root and intermediate or root and identity, both have to be uploaded to CUCM as a tomcat-trust).
09-18-2012 04:00 AM
Hi Nathaniel,
Have you already enrolled CUCM with the internal CA for Tomcat certificates? The Phone leverages SSL connection with CUCM to retrieve the URLs when set to HTTPS. So, unless you have CUCM running with root CA and SSL (identity) certificate from the CA server, HTTPS will not work properly.
Also, do ensure that the if URLs are working on name absis, you have DNS enabled for CUCM and Phones.
See chapter 9 from 'Securing Cisco IP Telephony Networks' for more information on enrolling CUCM with external CA for Tomcat and other entities (e.g. CAPF).
Akhil Behl
Senior Network Consultant
akbehl@cisco.com
Author of “Securing Cisco IP Telephony Networks”
www.ciscopress.com/title/1587142953
09-18-2012 05:07 AM
Thanks for the reply. I have not yet generated a certificate for CUCM on our internal CA, but this has prompted me to do so.
09-18-2012 04:04 AM
The certificate used on the external server has to be uploaded to CUCM under the OS Administration page > Security > Certificate Management. Upload it as a "Tomcat-Trust" and then restart tomcat (utils service restart Cisco Tomcat). That should allow the phones to trust the external SSL certificate. Note that if you have a certificate change (root and intermediate or root and identity, both have to be uploaded to CUCM as a tomcat-trust).
09-18-2012 05:08 AM
Thanks for this Joe, I was adding the CA certificate to the phone-trust chain. I didn't think to add it to tomcat-trust.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: