cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
605
Views
10
Helpful
6
Replies

CUBE Certificate Trusts - Secure Dial Peer

C_Noble
Level 1
Level 1

I am attempting to establish secure SIP connectivity and another organization.  We both use different 3rd part certificate authorities. 

Is there a way in Cisco IOS / CUBE to load certificate trusts?  I want to ensure that both SBCs trust the certificates presented to each other so the TLS session can properly establish.

1 Accepted Solution

Accepted Solutions

b.winter
VIP
VIP

Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?

If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:

crypto pki trustpoint CUBE2
 enrollment terminal pem
 revocation-check none

crypto pki authenticate CUBE2
Paste the X.64 based certificate here

 And vice-versa on CUBE2

View solution in original post

6 Replies 6

Hi, thank you for your response.  I have reviewed the above document, but it does not entirely answer my question.
My trunk and dial peers between CUCM and CUBE are up and secure using the above method.  

The issue I am having is between my CUBE and another CUBE.  The distant end CUBE's certificate is signed by a different certificate authority.  How do you I configure my CUBE to trust the other CUBEs certificate?

b.winter
VIP
VIP

Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?

If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:

crypto pki trustpoint CUBE2
 enrollment terminal pem
 revocation-check none

crypto pki authenticate CUBE2
Paste the X.64 based certificate here

 And vice-versa on CUBE2

Ok I think I'm understanding.

Seems like I need to get another certificate created for the outbound dial-peer.  That certificate would need to be signed by the distant ends certificate authority. 

Hi, no you don't need a different certificate on the CUBE (you can do it, but it's not necessary).
What is your current certificate structure?

Is your CUCM certificate signed by a CA? or self-signed?
Is your CUBE certificate signed by a CA? or self-signed?
Is the other CUBE's certificate signed by a CA? or self-signed?

Can you make a screenshot of all the certificates, like the screenshot in the link?

Unbenannt.PNG

The certificate of your SBC (Cube) does not need to be signed by the same CA as the remote end SBC. It does however need to be signed by a public CA that the remote end SBC has in its trust list and you’ll need to have the CA that signed remote end SBCs certificate in your SBCs trust store.



Response Signature