Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
10
Helpful
6
Replies

CUBE Certificate Trusts - Secure Dial Peer

Go to solution
C_Noble
Level 1
Level 1

‎12-13-2022 05:33 AM

I am attempting to establish secure SIP connectivity and another organization.  We both use different 3rd part certificate authorities. 

Is there a way in Cisco IOS / CUBE to load certificate trusts?  I want to ensure that both SBCs trust the certificates presented to each other so the TLS session can properly establish.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b.winter
VIP
VIP

‎12-15-2022 05:55 AM

Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?

If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:

crypto pki trustpoint CUBE2
 enrollment terminal pem
 revocation-check none

crypto pki authenticate CUBE2
Paste the X.64 based certificate here

 And vice-versa on CUBE2

View solution in original post

0 Helpful
6 Replies 6

Go to solution
C_Noble
Level 1
Level 1
In response to b.winter

‎12-15-2022 05:38 AM

Hi, thank you for your response.  I have reviewed the above document, but it does not entirely answer my question.
My trunk and dial peers between CUCM and CUBE are up and secure using the above method.  

The issue I am having is between my CUBE and another CUBE.  The distant end CUBE's certificate is signed by a different certificate authority.  How do you I configure my CUBE to trust the other CUBEs certificate?

0 Helpful

Go to solution
b.winter
VIP
VIP

‎12-15-2022 05:55 AM

Use the same way. A certificate is a certificate and has nothing to do, doesn't matter if it is for CUCM or CUBE or ...
How is your CUCM certificate chain and how is it for your and the other CUBE?

If you only have self-signed certificates on the CUBEs (so there is no cert chain):
On CUBE 1:

crypto pki trustpoint CUBE2
 enrollment terminal pem
 revocation-check none

crypto pki authenticate CUBE2
Paste the X.64 based certificate here

 And vice-versa on CUBE2

0 Helpful

Go to solution
C_Noble
Level 1
Level 1
In response to b.winter

‎12-15-2022 06:51 AM

Ok I think I'm understanding.

Seems like I need to get another certificate created for the outbound dial-peer.  That certificate would need to be signed by the distant ends certificate authority. 

0 Helpful

Go to solution
b.winter
VIP
VIP
In response to C_Noble

‎12-15-2022 07:07 AM

Hi, no you don't need a different certificate on the CUBE (you can do it, but it's not necessary).
What is your current certificate structure?

Is your CUCM certificate signed by a CA? or self-signed?
Is your CUBE certificate signed by a CA? or self-signed?
Is the other CUBE's certificate signed by a CA? or self-signed?

Can you make a screenshot of all the certificates, like the screenshot in the link?

Unbenannt.PNG

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to C_Noble

‎12-15-2022 10:11 PM

The certificate of your SBC (Cube) does not need to be signed by the same CA as the remote end SBC. It does however need to be signed by a public CA that the remote end SBC has in its trust list and you’ll need to have the CA that signed remote end SBCs certificate in your SBCs trust store.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents