cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
399
Views
0
Helpful
3
Replies
Highlighted
Engager

SRTP, CUBE & Multi-SAN CUCM Certificate

I've read two Cisco documents on setting up a secure SIP trunk between CUBE and CUCM. Both documents talk about importing every node's Callmanager certificate into CUBE.

 

But what if you've got a multi-SAN certificate for CallManager? (I.e. One certificate for all nodes in the cluster) Do I have to import the same certificate for each node in the cluster, or is there another way to do it?

Please rate all helpful posts.
3 REPLIES 3
Highlighted
Hall of Fame Cisco Employee

This follows the same basic rules of certificates/encryption you would follow in CUCM, there's nothing special in that regards.

Most likely the doc you looked at did that because they were using self-signed certs, and then each server acts as a standalone CA.

In my lab as I use the same CA for everything, I generated the CSR request on the ISR, had it signed, then uploaded the same root CA I use in CUCM and the signed certificate and that's it. I'm able to have TLS/SRTP between them

HTH

java

if this helps, please rate
Highlighted

That's good to know. I wondered if something clever was going on and each server's SSL certificate had to be validated against it's name/IP address. So it looks more like that CUBE is just checking that the certificate is recognised and doesn't care where it comes from.
Please rate all helpful posts.
Highlighted

BTW - If my CUCM certificate is signed by a CA (Commercial or othewise) do I need to upload the full certificate chain, or just the CUCM endpoint certificate?
Please rate all helpful posts.
Content for Community-Ad