10-28-2015 08:14 AM - edited 03-17-2019 04:43 AM
We have 1 Pub CUCM and 3 Sub CUCM server and 2 TFTP servers in the cluster. We are currently using self signed certificates, but management wants us to move to certificates signed by our Root CA.The CUCM version we are running is 9.1.2.12900-11.
So far this is what I understand we need to do:
Log into Cisco Unified OS Administration
Under Security -> Certificate Management
Select Generate CSR
For each of the following services generate the CSR
Repeat steps 1-4 for remaining servers in cluster
Download the 24 CSRs to a PC
Email the CSRs to the CA admin
Download the 24 signed Certs to PC
Select Upload Certificate/Certificate chain
Upload each of the following root certs to each server in cluster
Upload trust certs for all other servers to each server in cluster
Restart all services on each server in the cluster
Some of the questions I am unable to find a clear answer on are:
Thank you for any information
PS: if possible having links to Cisco documentation is always appreciated, as that is what my manager tends to look for in my outlines.
Solved! Go to Solution.
10-28-2015 09:13 AM
No, actually once your CA comes back with the certs, you upload the root/certificate chain to the relevant X-trust store in first place, THEN, you upload the server certificate to each one.
And unless this is different on 9.x, which I don't believe it is, they X-trust certificates should replicate to all the servers, just give it a few minutes after the upload.
Each server should have a unique FQDN, so, each server needs their own certificate, you don't even have to worry about messing that up, it will error out if you try to upload a cert that does not match the private key that was used to generate the CSR for that server.
No, the certs will be overwritten once you upload new certs.
I created a video with the procedure when doing this with a MS CA, the only difference is that you will be getting the certs from a 3rd party, but the upload process, generate CSR, is all the same
https://supportforums.cisco.com/video/12675036/how-sign-certificates-microsoft-ca
10-28-2015 09:13 AM
No, actually once your CA comes back with the certs, you upload the root/certificate chain to the relevant X-trust store in first place, THEN, you upload the server certificate to each one.
And unless this is different on 9.x, which I don't believe it is, they X-trust certificates should replicate to all the servers, just give it a few minutes after the upload.
Each server should have a unique FQDN, so, each server needs their own certificate, you don't even have to worry about messing that up, it will error out if you try to upload a cert that does not match the private key that was used to generate the CSR for that server.
No, the certs will be overwritten once you upload new certs.
I created a video with the procedure when doing this with a MS CA, the only difference is that you will be getting the certs from a 3rd party, but the upload process, generate CSR, is all the same
https://supportforums.cisco.com/video/12675036/how-sign-certificates-microsoft-ca
10-29-2015 10:42 AM
Thank you for the swift and detailed response. Not to mention the amazing video you created.
10-30-2015 06:57 AM
Jaime, one thing I have noticed in the version we are running is that it has several differences when dealing with the certificate and the CSR. The Tomcat certificate we have, under Enhanced key usage it only has server authentication. Another big difference is that under generate CSR we can only select which kind we want to generate CSR for. It does not give any options for key length or hash algorithm (see attachment). How will this impact our process?
10-30-2015 07:49 AM
If you're signing it with a 3rd party CA that is not MS, the CSR already contains the Key Usage and Enhanced Key Usage it requires, it's only MS CA that does not honor such settings and the certificate templates takes precedence.
If there's no option for key length, or hash, there's no option, you'll simply need to use the default settings.
FYI, there's no attachment
11-02-2015 05:39 AM
Would this be something we would be able to test out by running VIRL and having everything virualized? If not, what approach do you suggest to test this before we implement it in our production environment?
03-27-2018 12:29 AM
Hi Jaime,
I need to know that if cluster is secure and all phones are having CTL ITL files on CUCM 10.5.x version with self signed cert.
and then if we wanted to move from self signed to CA signed certs then will only uploading the certs on server will done the trick or do we have to take some additional precautions?
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide