Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2509
Views
5
Helpful
6
Replies

Moving from Self-signed to Root CA certificates

Go to solution
Alexander Beirlant
Level 1
Level 1

‎10-28-2015 08:14 AM - edited ‎03-17-2019 04:43 AM

We have 1 Pub CUCM and 3 Sub CUCM server and 2 TFTP servers in the cluster. We are currently using self signed certificates, but management wants us to move to certificates signed by our Root CA.The CUCM version we are running is 9.1.2.12900-11.

So far this is what I understand we need to do:

Log into Cisco Unified OS Administration
Under Security -> Certificate Management
Select Generate CSR
For each of the following services generate the CSR

  • Tomcat
  • Ipsec
  • Callmanager
  • CAPF

Repeat steps 1-4 for remaining servers in cluster
Download the 24 CSRs to a PC
Email the CSRs to the CA admin
Download the 24 signed Certs to PC
Select Upload Certificate/Certificate chain
Upload each of the following root certs to each server in cluster

  • Tomcat
  • Ipsec
  • Callmanager 
  • CAPF

Upload trust certs for all other servers to each server in cluster

  • Tomcat-trust
  • Ipsec-trust
  • Callmanager-trust
  • CAPF-trust

Restart all services on each server in the cluster

Some of the questions I am unable to find a clear answer on are:

  • Do we use the signed certificate for PUB to upload on sub1-3 and tftp1-2 trust certificate of PUB? Or does it need a seperate certificate as well?
  • In Cisco documentation it states the following as a note: "The system automatically replicates tomcat-trust, Callmanager-trust and Phone-SAST-trust certificates to each node of the cluster." If I understand this correctly the following happens. I upload the Tomcat and Callmanager root Cert to PUB. These certs get replicated to all subs and tftp's in the cluster as tomcat-trust and CallManager-trust certificates. The same for when I upload the root certs to SUB1, they are added to PUB, SUB2, SUB3, TFTP1 and TFTP2 as trust certs. Is this correct?
  • Do we need to delete the old self-signed certs or do they get automatically overwritten? 

Thank you for any information

PS: if possible having links to Cisco documentation is always appreciated, as that is what my manager tends to look for in my outlines.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎10-28-2015 09:13 AM

No, actually once your CA comes back with the certs, you upload the root/certificate chain to the relevant X-trust store in first place, THEN, you upload the server certificate to each one.

And unless this is different on 9.x, which I don't believe it is, they X-trust certificates should replicate to all the servers, just give it a few minutes after the upload.

Each server should have a unique FQDN, so, each server needs their own certificate, you don't even have to worry about messing that up, it will error out if you try to upload a cert that does not match the private key that was used to generate the CSR for that server.

No, the certs will be overwritten once you upload new certs.

I created a video with the procedure when doing this with a MS CA, the only difference is that you will be getting the certs from a 3rd party, but the upload process, generate CSR, is all the same

https://supportforums.cisco.com/video/12675036/how-sign-certificates-microsoft-ca

HTH

java

if this helps, please rate

View solution in original post

6 Replies 6

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎10-28-2015 09:13 AM

No, actually once your CA comes back with the certs, you upload the root/certificate chain to the relevant X-trust store in first place, THEN, you upload the server certificate to each one.

And unless this is different on 9.x, which I don't believe it is, they X-trust certificates should replicate to all the servers, just give it a few minutes after the upload.

Each server should have a unique FQDN, so, each server needs their own certificate, you don't even have to worry about messing that up, it will error out if you try to upload a cert that does not match the private key that was used to generate the CSR for that server.

No, the certs will be overwritten once you upload new certs.

I created a video with the procedure when doing this with a MS CA, the only difference is that you will be getting the certs from a 3rd party, but the upload process, generate CSR, is all the same

https://supportforums.cisco.com/video/12675036/how-sign-certificates-microsoft-ca

HTH

java

if this helps, please rate

Go to solution
Alexander Beirlant
Level 1
Level 1
In response to Jaime Valencia

‎10-29-2015 10:42 AM

Thank you for the swift and detailed response. Not to mention the amazing video you created.

0 Helpful

Go to solution
Alexander Beirlant
Level 1
Level 1
In response to Jaime Valencia

‎10-30-2015 06:57 AM

Jaime, one thing I have noticed in the version we are running is that it has several differences when dealing with the certificate and the CSR. The Tomcat certificate we have, under Enhanced key usage it only has server authentication. Another big difference is that under generate CSR we can only select which kind we want to generate CSR for. It does not give any options for key length or hash algorithm (see attachment). How will this impact our process?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Alexander Beirlant

‎10-30-2015 07:49 AM

If you're signing it with a 3rd party CA that is not MS, the CSR already contains the Key Usage and Enhanced Key Usage it requires, it's only MS CA that does not honor such settings and the certificate templates takes precedence.

If there's no option for key length, or hash, there's no option, you'll simply need to use the default settings.

FYI, there's no attachment

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Alexander Beirlant
Level 1
Level 1
In response to Jaime Valencia

‎11-02-2015 05:39 AM

Would this be something we would be able to test out by running VIRL and having everything virualized? If not, what approach do you suggest to test this before we implement it in our production environment?

0 Helpful

Go to solution
Farrukh '
Level 1
Level 1
In response to Jaime Valencia

‎03-27-2018 12:29 AM

Hi Jaime,

 

I need to know that if cluster is secure and all phones are having CTL ITL files on CUCM 10.5.x version with self signed cert.

 

and then if we wanted to move from self signed to CA signed certs then will only uploading the certs on server will done the trick or do we have to take some additional precautions?

 

Farrukh

0 Helpful
Customers Also Viewed These Support Documents