Re: SRTP, CUBE & Multi-SAN CUCM Certificate

Gordon Ross · ‎10-09-2019

I've read two Cisco documents on setting up a secure SIP trunk between CUBE and CUCM. Both documents talk about importing every node's Callmanager certificate into CUBE.

But what if you've got a multi-SAN certificate for CallManager? (I.e. One certificate for all nodes in the cluster) Do I have to import the same certificate for each node in the cluster, or is there another way to do it?

Please rate all helpful posts.

Jaime Valencia · ‎10-09-2019

This follows the same basic rules of certificates/encryption you would follow in CUCM, there's nothing special in that regards.

Most likely the doc you looked at did that because they were using self-signed certs, and then each server acts as a standalone CA.

In my lab as I use the same CA for everything, I generated the CSR request on the ISR, had it signed, then uploaded the same root CA I use in CUCM and the signed certificate and that's it. I'm able to have TLS/SRTP between them

HTH

java

if this helps, please rate

Gordon Ross · ‎10-09-2019

That's good to know. I wondered if something clever was going on and each server's SSL certificate had to be validated against it's name/IP address. So it looks more like that CUBE is just checking that the certificate is recognised and doesn't care where it comes from.

Please rate all helpful posts.

Gordon Ross · ‎10-09-2019

BTW - If my CUCM certificate is signed by a CA (Commercial or othewise) do I need to upload the full certificate chain, or just the CUCM endpoint certificate?

Please rate all helpful posts.