I am having a problem where SIP TLS negotiation is failing for the trunk between CUCM 9 and VCS 7.2. Following are the steps followed from the Cisco TLS trunk creation guide.
- CSR generated from VCS and uploaded it to the Microsoft Certificate Sever.
- then upload the certificate and CA certificate to the VCS
- then download the sever certificate from the VCS and upload it to the CUCM
However, the TLS negotiation is failing and in the CUCM log, it's complaining an error message "unsupported certificate type for purpose"
anybody has experienced this issue?
Note: if self-signed certificate is used, tls trunk is established.
That could be a problem- you will just have to create a new certificate template in the CA. The Certificate creation an Deployment Guide describe the process for Microsoft CA.
Sent from Cisco Technical Support Android App
We created a new certificate template on our Microsoft SUB CA which includes both server and client EKU in the WebServer certificate.
The new VCS certificate certified with that template then uploaded without any warning on the VCS 8.1
Howerver I was still getting an error and the TLS trunk between the CUCM and the VCS was still failing. The VCS logs where showing a "Peer’s TLS certificate identity was unacceptable" error.
I tried putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB but it didn't make any difference.
As I guess the peer refers to the CUCM, I went ahead and changed both CUCM publisher and subscriber's callmanager certificate to certs certified by the same CA using the same server/client webserver template.
Yet it was still not working and it still showed the same error "Peer’s TLS certificate identity was unacceptable".
I finaly solved that last error by putting the server name instead of the IP address inside of the "peer address" on the VCS Zone pointing to the CUCM PUB and SUB
That was really a painful one. Would be helpful if Cisco's documentation was more precise on all the requirements and steps to get all that working.
Hi all and for those guys facing this issue:
Pls. make sure you uploaded RootCA certification and generated CUCM cluster CSR select 'Certificate Purpose' with 'CallManager-trust', at last for CUCM cluster certification be uploaded(signed by CA) also select with 'CallManager-trust' for Certificate Purpose.
Hopefully this could help to you.