Showing results for 
Search instead for 
Did you mean: 

Creating SIP TLS trunk between CUCM and VCS Using CA-signed-certificate


I am having a problem where SIP TLS negotiation is failing for the trunk between CUCM 9 and VCS 7.2. Following are the steps followed from the Cisco TLS trunk creation guide.

- CSR generated from VCS and uploaded it to the Microsoft Certificate Sever.

- then upload the certificate and CA certificate to the VCS

- then download the sever certificate from the VCS and upload it to the CUCM

However, the TLS negotiation is failing and in the CUCM log, it's complaining an error message "unsupported certificate type for purpose"

anybody has experienced this issue?

Note: if self-signed certificate is used, tls trunk is established.

17 Replies 17

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi Zlatt,

Does the CUCM has the root CA installed on it as well ? if not, can you try to do that.



Yes, it does. please correct me if I am wrong. I though that CUCM CA certificate is installed on the CUCM by default..

I am getting this now as well:

"Invalid certificate: The file provided does not have a client usage attribute. Services requiring mutual TLS may not work."

However I can find 0 documentation on how to create a template on the Microsoft CA that contains the Client and the server attribute. The cisco documentation just hands you off to the CA on the guide:


Step 5 Submit the CSR to your public CA.

Note Important: Make sure your public CA provides you with an SSL server certificate that includes both Server and Client Auth keys.


Anyone have any instructions on getting the certificate generated?

Rising star
Rising star

Which certificate template did you choose when creating the VCS server certificate on the Microsoft CA?

It sounds to me as CUCM is complaining because the VCS certificate is missing the 'Server Authentication' extended key usage, and possibly also the 'Client authentication' EKU, I'm not sure if both are required by CUCM or only the Server auth EKU.

The default 'Web server' template on the Microsoft CA should at least create a certificate with the Server Auth EKU, so you might want to check that first. If it turns out that CUCM also needs the certificate to have the Client auth EKU, you probably have to create a custom certificate template on the Windows side.

Hi Andreas, I choosed web server template. I will check to see if the Web server certificate contains server auth EKU.

I am wondering what are the requirement when using CA-signed certificate to creat a TLS trunk?

If I need to create a custom certificate, can you please point me to a document to which I can reference to when creating?


The Certificate creation and use deployment guide ( would be a good start.

Since you state that using a self-signed certificate works fine, have you tried comparing this self-signed certificate with the certificate created by the Microsoft CA to see what the differences are? Where does the self-signed cert originate from?

- Andreas

I have the exact same problem here. The CUCM is 9.1.2 and VCS-C is 7.2.1

I read the [Cisco VCS Certificate creation guide] and the [Cisco Unified Communications Manager with Cisco VCS]

Here's what I did,

  1. I uploaded on our VCS-C our Microsoft AD Certificate Service server CA and uploaded it on the VCS-C trusted CA certificate
  2. I created a CSR on the VCS-C, when on my Microsoft CA server and submit a certificate request using template "Web server"
  3. I saved the certificate provided by the Microsoft CA server
  4. I uploaded that cert on the VCS-C server certificate
  5. I uploaded that cert on the CUCM as a CallManager-trust certificate
  6. Following the [Cisco Unified Communications Manager with Cisco VCS] manual I created a SIP trunk security profile setting up the X.509 CN=name as the subject name, changed port, switched to TLS and Encrypted mode
  7. I updated the Trunk to use that SIP trunk profile, change the trunk name to the cert X.509 CN= name, changed the port...
  8. I changed the Zone pointing to the CUCM on the VCS-C (leaving the TLS verify mode to Off)

and I still see a TLS negociation failure on the VCS-C

Hi Matthieu,

on step 5 - are you talking about uploading the VCS CA signed ceritficate on CUCM?

Have you created CSR on CUCM (Callmanager) , have it then signed by CA and uploaded it back as CallManager-trust?

X.509 Subject Name on the security profile on CUCM should be the name you used to create the ceritficate request, pleae note , not Subject Alternative Name but Subject name.

Aslo - in VCS under Maintenance> Security Cetrtificates> Trusted CA certificate - what type and who is the issuer of the certificates there?


Hi MAtthieu,

i think you are missing a step here. the process you are following on cucm is for "self-signed' certificate. however here in your case VCS doesn't have a self signed certificate.

so you need to use the same root CA on CUCM side to verify the certificate as mentioned by Andrey.



Hello Alok,

Yes it looks that it is the issue.

My colleague found in the VCS log the below error:

2013-12-19T22:20:40+09:00 vcsc-server tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="" Src-port="34736" Dst-ip="10.yyy.yyy.yyy" Dst-port="5061"

Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2013-12-19 13:20:40,157"

I can generate a CSR request on the CUCM and get it certified by our Microsoft CA, but my questions are:

- do I need a CA-certified cert for all the CUCM nodes or just the PUB

- which service do I need a cert for? Just the CallManager or also the tomcat, ipsec, CAPF, TVF...

- Once I have a CA-certified CUCM cert, do I need to erase the self-signed certificate or can I keep both?

Hi Matt,

pls follow the CUCM VCS deplyoment gudie for x7.2 or x8.1. i am posting the link for x8.1 but it should be same for x7.2 as well.

by default cucm has a cert installed on cucm "callmanager.pem", so you need to generate a new cert for the CUCM and replace the deault callmanager.pem file with that, You then need to install the root CA cert of the CUCM under call manager trust.

please note the above steps has to be done on each node in the CUCM cluster which has call manager service running.

simillaryl for VCS you need to generate a server cert for the VCS and install it on VCS under certificate maangement-->server certificate, and you also need to install the root CA on the VCS.



I still have the same issue.

So here's the status:

  1. I uploaded on our VCS-C and CUCM servers our Microsoft AD Certificate Service server CA
  2. Uploaded the VCS-C certified certs on all CUCM servers as CallManager-trust certs
  3. I created a CSR on the VCS-C, got it certified by the Microsoft CA server and uploaded that cert on the VCS-C server certificate
  4. I did the same for all the CUCM: create a CallManager CSR, get it certified by the Microsoft CA and uploaded each sserver own certified CallManager cert on itself, replacing the CallManager.pem
  5. Followed the instruction from page 27 on the manual send in the link above (which I had already read)
  6. restarted the CUCM servers call manager and Tomcat servervices
  7. restarted the trunk on the CUCM

It still shows as failed on the VCS zone

Don't I need to do something about the CUCM CallManager-trust certs too?

does it matters if the CA is a SUB-CA versus a root-CA ?