03-05-2012 11:16 AM - edited 03-17-2019 10:52 PM
Hi All,
One of the security measures that I am thinking of to restrict access to our VCS Starter after assigning it a public ip is to allow https access only if the admin's browser certificate matches that of the VCS.
I am uncertain if I can use the built in certificate that came with the VCS to do this however and whether it in fact the certificate is unique to that device.
Can you guide me with how this is implemented.
Thanks!
03-05-2012 11:32 AM
Hi Ricardo
We have some good documentation on how to deploy this.
Please look in the VCS administration guide (From page 270)
And also some useful information about VCS certificates can be found in this document:
Hope this helps!
/Magnus
03-06-2012 07:08 AM
Hi Magnus,
Thanks for the links. Though the documents helped me to understand the process I am unsure about where to get the client certificate for my browser to use.
I realize that the VCS came with a server certificate loaded. Does the client browser need this certtificate to match that of the VCS?
03-07-2012 02:11 AM
Ricardo,
in order to use client certificate-based security on the VCS, you will need to have a CA (Certificate authority) which can create certificates for the clients which will be accessing the VCS via HTTPS.
For this CA you have a lot of options, you could for example use a Windows-based CA or use OpenSSL, for which you should be able to find a lot of useful guides and help online.
Once you have created a CA certficate, you can create client certificates which are signed with your CA certificate (and I also recommend you create a server certificate for the VCS). You will then have to upload this CA certificate to the VCS (and the server certificate and key if you chose to create this) and install a client certificate on each computer which you plan on using to connect to the VCS with.
Depending on which web browser you use for accessing the VCS, the web browser might have to be actively configured to enable client-based certificate checking, while other browsers will automatically prompt you to select which certificate to present once the VCS requests this.
Hope this helps,
Andreas
03-27-2012 05:23 PM
Andreas/Magnus,
Thanks for the guidance. I managed to create a private key and a certificate request which I used a Windows CA to generate. I however stumble on this problem though.
tvcs: Event="
Inbound TLS Negotiation Error " Service="SIP " Src-ip="199.19.190.28 " Src-port="52948 " Dst-ip="x.x.x.x" Dst-port="5061
" Detail="sslv3 alert bad certificate
This was a call from a client registered with cisco jabber.com domain not my own.
I presume that the certificate generated by me is used for TLS encryption as well but I believed that verify certificate checking was done for https and that in a call the VCS would use a combination of client and server keys to encrypt traffic.
I need to move to an online service like cacert.org because the VCS-e is in the public internet now and cannot reach our DC to renew the CRL which expire quickly. Is it that both inbound client and server must have a root CA containing the same authority?
05-03-2013 02:26 AM
Hi,
we are facing the same behavior with calls between Free Jabber servers and our VCS. Running VCS version 7.2.2.
"sslv3 alert bad certificate"
Have you resolved the issue?
Thank you.
04-01-2014 07:14 AM
Hi!
Having exactly the same error only with free jabber accounts, everything else works fine, let me know fi you are able to find the solution, I will do teh same on my end
04-01-2014 07:39 AM
Hi,
in order to communicate with free jabber cloud you have to upload to your VCSe server ceritficate signed by trusted CA. You can choose one of the following:
https://supportforums.cisco.com/docs/DOC-23938
This will resolve your issues with calls with free jabber video users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide