My customer asked me to disable the pop certificate for Jabber internal communications (later we will disable the external)
I did not implement this before and I read about it and I really appreciate if you can correct the following steps or add more clarifications.
First of all while I’m using CUCM 11, So, I will deal with CUCM publisher only, no need to go for each CUCM and IM & Presence server.
OS Administration>> Security>> Certificate Management>> Upload certificate.
Certificate Purpose: tomcat-trust
And upload the root CA certificate.
Certificate Purpose: tomcat
Regarding SAN, what I should do if I have some servers in different domain, like:
Generate and download,
this looks pretty complete to me. Just remember to add the CA's cert to the actual (Jabber) client's cert store as well (although it is most likely already in there.)
Thank you all for your support (+5)
What if I use public certificate? In this case I do not need to add to client's cert store, am I right?
I have the following also, I believe I missed the XMPP cert? so I have to create CSR from IM and presence too?
What if I have different domains for CUCM, Regarding SAN
SAN includes IM&P as well (no need to generate separate CSR for it) and you can definitely do alternate domains as well. While generating the CSR for SAN, it will auto populate the FQDN of all the CUCM and IM&P servers in the cluster and you can then define alternate dmains under Other Domains field
Most of the known browsers such as FF, IE etc have their own Trusted Cert store that include certs from DigiCert, Verisign etc by default. Hence, you do not need to add them to the client cert store explicitly as they will/should already be present in the Trusted Root Certification Authorities on the client PC
No, check below:
Unified Communications Manager supports a single CA signed certificate with SAN extensions across multiple servers for each of the Tomcat, CallManager, and IM and Presence Service services. The SAN fields are utilized and shared across multiple servers in a cluster for each of the Tomcat, CallManager, cup-xmpp, and cup-xmpp-s2s certificates. The administrator selects between single-server certificates and multiserver certificates with SAN extensions to generate a CSR, and then uploads the certificate or certificate chain.
Make sure you also distribute the trusted root certificate to all clients.