Re: Using Microsoft Certificate Authority w/ CUCM 12.5

pdx99 · ‎04-25-2019

Greetings - I'm involved in administering a CUCM 12.5 implementation which is in the (slow) roll-out phase. The Publisher and a Subscriber have been installed at this point.

We are going to use an existing Microsoft CA rather than the self-signed certs. I've been pouring over documentation but haven't been able to attain a clear sense of what I need to do to use Microsoft CA certs in place of the self-signed. As further info, the Microsoft CA is an offline root and one intermediate.

Coming from a Microsoft environment I'm used to the placing root CA certs in the Trusted Root Certification Authorities store and intermediate CA certs in the Intermediate Certification Authorities store. How/where do I add the Microsoft root and intermediate CA certs to CUCM 12.5

As one example of my continued confusion, "The Security Guide for Cisco Unified Communications Manager, Release 12.5(1)" reads, in the "Install Intermediate Certificates" section "To install an intermediate certificate, you must install a root certificate first and then upload the signed certificate" and in the same section the process includes two different steps that say, "Choose intelligenceCenter-srvr-trust from the Certificate Purpose drop-down list to install the root certificate", but I don't have any "intelligenceCenter-srvr-trust" listed in my intelligenceCenter-srvr-trust in my drop-down list?

Is there any clear/definitive documentation as to necessary steps/configuration to use a Microsoft CA with CUCM 12.5?

Also at System -> Security -> Certificate in CUCM Administration, there are 15 different certs with various "selected Roles" and "selected services" that have been as part of the installation. As I'd need to do CSRs for Microsoft CA certs to replace these self-signed certs is there any definitive source as to what certificates are needed?

Thanks

Jaime Valencia · ‎04-25-2019

root and intermediate certs go to the < service >-trust-store

service certificate goes to the service itself and will be validated against the CSR and key that you created.

You can download all the certificates to look at what specs they currently have and match those, as you'll notice the CSR creation allows for limited choices.

The certificates you want/need to use CA signed certificates, depend on what you are going to use. There's already documentation that explains the role and purpose of each certificate.

There is no Cisco documentation as to how to set a MS CA.

HTH

java

if this helps, please rate

stevenlandon · ‎04-25-2019

Jamie, i think he is asking about this...

Online CA—Use this option to have an external online CA signed LSC for phones. The CAPF service connects automatically to the external CA. When a CSR is submitted, the CA signs and returns the CA-signed LSC automatically.

pdx99 · ‎04-26-2019

That's part of what I'm trying to establish

I'm also looking to determine how to install root/intermediate certs when using a enterprise CA (Microsoft CA in my case). The Cisco The Security Guide for Cisco Unified Communications Manager, Release 12.5(1) refers to Choose intelligenceCenter-srvr-trust from the Certificate Purpose drop-down list to install the root certificate but intelligenceCenter-srvr-trust is not present in my installation.

Based on the previous answer it appears that root and intermediate certs go to the < service >-trust-store

My installation which currently includes one pub and one sub has 15 self-signed certs. In these 15 certs, the following are listed in Services Currently Associated -> Selected Services on one or more certificates

CallManager-trust
CAPF-trust
tomcat-trust
ipsec-trust

So, I'm interpreting that to mean that I need to upload the root and intermediate certs for each of those Certificate Purpose. Is that correct?

Thanks

Gregory Brunn · ‎04-26-2019

It depends on the application you want to use and the ends. In a non secure deployment (IE not mixed mode) I would only recommend issuing a CSR for tomcat signing it uploading your intermed and root as tomcat-trust and then the tomcat signed cert to tomcat.

I wouldn't go through the trouble of signing the other certs unless you had a need for them to be signed. Organizational security policies could be one reason to do that another is if your are doing jabber and MRA your cert requirement change a little. You can google that guide if needed. But since you did not bring up IMP I wouldn't worry about that.

Benjamin K. · ‎05-07-2019

Hey Steven,

one question about your statement. Could you please explain what mechanism the CAPF service used to connected to issuing CA (Onlince CA)? So how is the issuing CA response that request? Is it like scep or also in that scenario a native MS protocol or mechanism?

Thanks and best regards
Ben

stevenlandon · ‎05-24-2019

I don't know how it works, i just know it is a new feature introduced in CUCM 12.5

stevenlandon · ‎07-28-2020

Has anyone got the OnlineCA option with MS working?

I have not been successful and I have followed the guides to the letter.

Vaijanath Sonvane · ‎09-09-2020

Hi Steven,

Please use below step by step document for setting up online CA with Microsoft CA:

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214501-configure-automatic-certificate-enrollme.html

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.