12-13-2022 05:33 AM
I am attempting to establish secure SIP connectivity and another organization. We both use different 3rd part certificate authorities.
Is there a way in Cisco IOS / CUBE to load certificate trusts? I want to ensure that both SBCs trust the certificates presented to each other so the TLS session can properly establish.
Solved! Go to Solution.
12-15-2022 05:55 AM
Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?
If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:
crypto pki trustpoint CUBE2 enrollment terminal pem revocation-check none crypto pki authenticate CUBE2 Paste the X.64 based certificate here
And vice-versa on CUBE2
12-13-2022 07:11 AM
12-15-2022 05:38 AM
Hi, thank you for your response. I have reviewed the above document, but it does not entirely answer my question.
My trunk and dial peers between CUCM and CUBE are up and secure using the above method.
The issue I am having is between my CUBE and another CUBE. The distant end CUBE's certificate is signed by a different certificate authority. How do you I configure my CUBE to trust the other CUBEs certificate?
12-15-2022 05:55 AM
Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?
If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:
crypto pki trustpoint CUBE2 enrollment terminal pem revocation-check none crypto pki authenticate CUBE2 Paste the X.64 based certificate here
And vice-versa on CUBE2
12-15-2022 06:51 AM
Ok I think I'm understanding.
Seems like I need to get another certificate created for the outbound dial-peer. That certificate would need to be signed by the distant ends certificate authority.
12-15-2022 07:07 AM
Hi, no you don't need a different certificate on the CUBE (you can do it, but it's not necessary).
What is your current certificate structure?
Is your CUCM certificate signed by a CA? or self-signed?
Is your CUBE certificate signed by a CA? or self-signed?
Is the other CUBE's certificate signed by a CA? or self-signed?
Can you make a screenshot of all the certificates, like the screenshot in the link?
12-15-2022 10:11 PM
The certificate of your SBC (Cube) does not need to be signed by the same CA as the remote end SBC. It does however need to be signed by a public CA that the remote end SBC has in its trust list and you’ll need to have the CA that signed remote end SBCs certificate in your SBCs trust store.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide