Showing results for 
Search instead for 
Did you mean: 

Creating SIP TLS trunk between CUCM and VCS Using CA-signed-certificate


I am having a problem where SIP TLS negotiation is failing for the trunk between CUCM 9 and VCS 7.2. Following are the steps followed from the Cisco TLS trunk creation guide.

- CSR generated from VCS and uploaded it to the Microsoft Certificate Sever.

- then upload the certificate and CA certificate to the VCS

- then download the sever certificate from the VCS and upload it to the CUCM

However, the TLS negotiation is failing and in the CUCM log, it's complaining an error message "unsupported certificate type for purpose"

anybody has experienced this issue?

Note: if self-signed certificate is used, tls trunk is established.

17 Replies 17

Cisco Employee
Cisco Employee

That could be a problem- you will just have to create a new certificate template in the CA. The Certificate creation an Deployment Guide describe the process for Microsoft CA.

Sent from Cisco Technical Support Android App

We created a new certificate template on our Microsoft SUB CA which includes both server and client EKU in the WebServer certificate.

The new VCS certificate certified with that template then uploaded without any warning on the VCS 8.1

Howerver I was still getting an error and the TLS trunk between the CUCM and the VCS was still failing. The VCS logs where showing a "Peer’s TLS certificate identity was unacceptable" error.

I tried putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB but it didn't make any difference.

As I guess the peer refers to the CUCM, I went ahead and changed both CUCM publisher and subscriber's callmanager certificate to certs certified by the same CA using the same server/client webserver template.

Yet it was still not working and it still showed the same error "Peer’s TLS certificate identity was unacceptable".

I finaly solved that last error by putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB

That was really a painful one. Would be helpful if Cisco's documentation was more precise on all the requirements and steps to get all that working.

Hi all and for those guys facing this issue:

Pls. make sure you uploaded RootCA certification with 'CallManager-trust', and generated CUCM cluster CSR select 'Certificate Purpose' with 'CallManager, at last for CUCM cluster certification to be uploaded(signed by CA) ensure select 'CallManager' for Certificate Purpose.

Hopefully, this could help to you.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: