02-02-2016 11:40 AM - edited 03-17-2019 05:42 AM
Hello everyone,
My customer asked me to disable the pop certificate for Jabber internal communications (later we will disable the external)
I did not implement this before and I read about it and I really appreciate if you can correct the following steps or add more clarifications.
First of all while I’m using CUCM 11, So, I will deal with CUCM publisher only, no need to go for each CUCM and IM & Presence server.
OS Administration>> Security>> Certificate Management>> Upload certificate.
Certificate Purpose: tomcat-trust
And upload the root CA certificate.
Certificate Purpose: tomcat
Regarding SAN, what I should do if I have some servers in different domain, like:
PUB.domain1.com
Sub2.domain2.com
Generate and download,
Thanks
02-02-2016 01:46 PM
this looks pretty complete to me. Just remember to add the CA's cert to the actual (Jabber) client's cert store as well (although it is most likely already in there.)
02-02-2016 10:25 PM
Thank you all for your support (+5)
What if I use public certificate? In this case I do not need to add to client's cert store, am I right?
I have the following also, I believe I missed the XMPP cert? so I have to create CSR from IM and presence too?
What if I have different domains for CUCM, Regarding SAN
02-02-2016 10:58 PM
SAN includes IM&P as well (no need to generate separate CSR for it) and you can definitely do alternate domains as well. While generating the CSR for SAN, it will auto populate the FQDN of all the CUCM and IM&P servers in the cluster and you can then define alternate dmains under Other Domains field
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html
Most of the known browsers such as FF, IE etc have their own Trusted Cert store that include certs from DigiCert, Verisign etc by default. Hence, you do not need to add them to the client cert store explicitly as they will/should already be present in the Trusted Root Certification Authorities on the client PC
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html
Regards
Deepak
02-02-2016 11:12 PM
Thank you for your support
but what about XMPP cert? No need to generate CSR for XMPP in IM and Presence?
02-02-2016 11:16 PM
No, check below:
Unified Communications Manager supports a single CA signed certificate with SAN extensions across multiple servers for each of the Tomcat, CallManager, and IM and Presence Service services. The SAN fields are utilized and shared across multiple servers in a cluster for each of the Tomcat, CallManager, cup-xmpp, and cup-xmpp-s2s certificates. The administrator selects between single-server certificates and multiserver certificates with SAN extensions to generate a CSR, and then uploads the certificate or certificate chain.
Reference Document:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00
Regards
Deepak
02-03-2016 01:22 AM
Thank you
02-02-2016 08:38 PM
Make sure you also distribute the trusted root certificate to all clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide