Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17358
Views
0
Helpful
17
Replies

Creating SIP TLS trunk between CUCM and VCS Using CA-signed-certificate

Zawlatt123
Level 1
Level 1

‎10-10-2012 05:12 PM - edited ‎03-17-2019 11:56 PM

I am having a problem where SIP TLS negotiation is failing for the trunk between CUCM 9 and VCS 7.2. Following are the steps followed from the Cisco TLS trunk creation guide.

- CSR generated from VCS and uploaded it to the Microsoft Certificate Sever.

- then upload the certificate and CA certificate to the VCS

- then download the sever certificate from the VCS and upload it to the CUCM

However, the TLS negotiation is failing and in the CUCM log, it's complaining an error message "unsupported certificate type for purpose"

anybody has experienced this issue?

Note: if self-signed certificate is used, tls trunk is established.

4 people had this problem
Labels:
0 Helpful
17 Replies 17

adimchev
Cisco Employee
Cisco Employee

‎01-13-2014 10:21 PM

That could be a problem- you will just have to create a new certificate template in the CA. The Certificate creation an Deployment Guide describe the process for Microsoft CA.




Sent from Cisco Technical Support Android App

0 Helpful

Matthieu LIENART
Level 1
Level 1
In response to adimchev

‎02-01-2014 05:56 PM

We created a new certificate template on our Microsoft SUB CA which includes both server and client EKU in the WebServer certificate.

The new VCS certificate certified with that template then uploaded without any warning on the VCS 8.1

Howerver I was still getting an error and the TLS trunk between the CUCM and the VCS was still failing. The VCS logs where showing a "Peer’s TLS certificate identity was unacceptable" error.

I tried putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB but it didn't make any difference.

As I guess the peer refers to the CUCM, I went ahead and changed both CUCM publisher and subscriber's callmanager certificate to certs certified by the same CA using the same server/client webserver template.

Yet it was still not working and it still showed the same error "Peer’s TLS certificate identity was unacceptable".

I finaly solved that last error by putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB

That was really a painful one. Would be helpful if Cisco's documentation was more precise on all the requirements and steps to get all that working.

0 Helpful

weichi
Cisco Employee
Cisco Employee
In response to Matthieu LIENART

‎07-08-2019 02:59 AM - edited ‎05-19-2023 02:59 AM

Hi all and for those guys facing this issue:

Pls. make sure you uploaded RootCA certification with 'CallManager-trust', and generated CUCM cluster CSR select 'Certificate Purpose' with 'CallManager, at last for CUCM cluster certification to be uploaded(signed by CA) ensure select 'CallManager' for Certificate Purpose.

Hopefully, this could help to you.

 

0 Helpful
Customers Also Viewed These Support Documents