Showing results for 
Search instead for 
Did you mean: 



I've deployed TCS v7.2.1 with SIP trunk to CUCM v11.5.1.

SIP trunk works fine with standard port 5060.

I followed the admin guide to put in SIP TLS mode. Took me some time to get the certificate right and get it uploaded on TCS.

On CUCM side the SIP trunk with Secure SIP profile becomes active.

On TCS side the trunk remains inactive.

When making call from endpoint registered on CUCM the call is in non-encrypted.

I enabled debugging (-d 2) on the TCS Content Engine service but the logs only show

“Debug: Sending trunk status [ Trunk Status = 4]”.

Anyone managed to get this working?

5 Replies 5

To confirm you enabled SIP TLS per the TCS 7.2 Admin Guide?

CUCM is configured per the steps in the guide?

TCS is configured per the steps in the guide?

Indeed I carefully followed each step in the guide.

I had some problems with openssl to combine the cert and the private key in a pfx file.

40533386538520:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140533386538520:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140533386538520:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:188:
140533386538520:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:213:


Finally got it working by adding -descert: openssl pkcs12 -inkey privatekey.pem -in SIPTLS_tcs-csr.cer -export -out tcs_sip-cert.pfx -descert.

The certificate loaded on the TCS without errors.


But the SIP trunk on TCS side remains inactive.

I've activated debugging on the TCS Content Engine service (-d 2) but the logs do not show much details about the problem cause.

Is this a CA signed or self signed certificate?
Looking at the guide, it says that the TCSCertGen.cmd option will generate self-signed certificates for both TCS and CUCM, have you tried this instead of using OpenSSL?

I'm using a CA signed certificate.

I've not tried the self signed certs.

I currently have a SR open with Tac.


I've tried with the self signed certificate and the problem remained.

Then I changed the server FQDN to it's IP address and the trunk became active on TCS side.

But the recording session remained unencrypted. Probably because the endpoint (LSC) did not trust the TCS.

I will test again with the CA signed certificate and try again. Maybe I need to update the LSC's on all the endpoints too?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers