I am having a problem where SIP TLS negotiation is failing for the trunk between CUCM 9 and VCS 7.2. Following are the steps followed from the Cisco TLS trunk creation guide.
- CSR generated from VCS and uploaded it to the Microsoft Certificate Sever.
- then upload the certificate and CA certificate to the VCS
- then download the sever certificate from the VCS and upload it to the CUCM
However, the TLS negotiation is failing and in the CUCM log, it's complaining an error message "unsupported certificate type for purpose"
anybody has experienced this issue?
Note: if self-signed certificate is used, tls trunk is established.
I am getting this now as well:
"Invalid certificate: The file provided does not have a client usage attribute. Services requiring mutual TLS may not work."
However I can find 0 documentation on how to create a template on the Microsoft CA that contains the Client and the server attribute. The cisco documentation just hands you off to the CA on the guide:
Step 5 Submit the CSR to your public CA.
Anyone have any instructions on getting the certificate generated?
Which certificate template did you choose when creating the VCS server certificate on the Microsoft CA?
It sounds to me as CUCM is complaining because the VCS certificate is missing the 'Server Authentication' extended key usage, and possibly also the 'Client authentication' EKU, I'm not sure if both are required by CUCM or only the Server auth EKU.
The default 'Web server' template on the Microsoft CA should at least create a certificate with the Server Auth EKU, so you might want to check that first. If it turns out that CUCM also needs the certificate to have the Client auth EKU, you probably have to create a custom certificate template on the Windows side.
Hi Andreas, I choosed web server template. I will check to see if the Web server certificate contains server auth EKU.
I am wondering what are the requirement when using CA-signed certificate to creat a TLS trunk?
If I need to create a custom certificate, can you please point me to a document to which I can reference to when creating?
The Certificate creation and use deployment guide (
Since you state that using a self-signed certificate works fine, have you tried comparing this self-signed certificate with the certificate created by the Microsoft CA to see what the differences are? Where does the self-signed cert originate from?
I have the exact same problem here. The CUCM is 9.1.2 and VCS-C is 7.2.1
I read the [Cisco VCS Certificate creation guide] and the [Cisco Unified Communications Manager with Cisco VCS]
Here's what I did,
and I still see a TLS negociation failure on the VCS-C
on step 5 - are you talking about uploading the VCS CA signed ceritficate on CUCM?
Have you created CSR on CUCM (Callmanager) , have it then signed by CA and uploaded it back as CallManager-trust?
X.509 Subject Name on the security profile on CUCM should be the name you used to create the ceritficate request, pleae note , not Subject Alternative Name but Subject name.
Aslo - in VCS under Maintenance> Security Cetrtificates> Trusted CA certificate - what type and who is the issuer of the certificates there?
i think you are missing a step here. the process you are following on cucm is for "self-signed' certificate. however here in your case VCS doesn't have a self signed certificate.
so you need to use the same root CA on CUCM side to verify the certificate as mentioned by Andrey.
Yes it looks that it is the issue.
My colleague found in the VCS log the below error:
2013-12-19T22:20:40+09:00 vcsc-server tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.xxx.xxx.xxx" Src-port="34736" Dst-ip="10.yyy.yyy.yyy" Dst-port="5061"
Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2013-12-19 13:20:40,157"
I can generate a CSR request on the CUCM and get it certified by our Microsoft CA, but my questions are:
- do I need a CA-certified cert for all the CUCM nodes or just the PUB
- which service do I need a cert for? Just the CallManager or also the tomcat, ipsec, CAPF, TVF...
- Once I have a CA-certified CUCM cert, do I need to erase the self-signed certificate or can I keep both?
pls follow the CUCM VCS deplyoment gudie for x7.2 or x8.1. i am posting the link for x8.1 but it should be same for x7.2 as well.
by default cucm has a cert installed on cucm "callmanager.pem", so you need to generate a new cert for the CUCM and replace the deault callmanager.pem file with that, You then need to install the root CA cert of the CUCM under call manager trust.
please note the above steps has to be done on each node in the CUCM cluster which has call manager service running.
simillaryl for VCS you need to generate a server cert for the VCS and install it on VCS under certificate maangement-->server certificate, and you also need to install the root CA on the VCS.
I still have the same issue.
So here's the status:
It still shows as failed on the VCS zone
Don't I need to do something about the CUCM CallManager-trust certs too?
does it matters if the CA is a SUB-CA versus a root-CA ?