Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1581
Views
5
Helpful
5
Replies

CUCM & CUC Certificates

Go to solution
silvervoip
Level 1
Level 1

‎01-30-2019 11:14 PM

Hello Community,

I would like to have a look at the certificates on both CUCM & CUC and if any of certificate is about to expire, I will renew it. However, I am not %100 sure which certificates are mandatory to check? Could you help me about it?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shalid Kurunnan Chalil
Spotlight
Spotlight

‎01-31-2019 04:13 AM

Hi,

the certificate fulfillment depends on how you are set up the infrastructure. But the basic certificates required in UCM is Tomcat and CallManager.

If you are running version higher than 8.6 ( i think), you only need to upload the certificate in Publisher node.

 

Optionally depends on your secured setup, you may need to look into IPsec and CAPF.

 

Basically, there are 2 methods to generate the certificates, 

  • Regenerate a certificate - where the Cisco call manager sign the certificate itself (self Signed)
  • Generate a CSR - where it require some CA has to sign the CSR to turn it into a certificate.

Similarly, in CUC, you should be looking at the tomcat certificate. 

 

in both applications, the certificate management is available under Cisco Unified Operating System Administration >> Security >> Certificate Management. 

 

there are plenty of references available, please find some reference as below;

 

CUCM Uploading CCMAdmin Web GUI Certificates

 

High Level View of Certificates and Authorities in CUCM

 

Regards,

Shalid 

Please remember to rate useful posts, by clicking on the stars below.

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Shalid Kurunnan Chalil
Spotlight
Spotlight

‎01-31-2019 04:13 AM

Hi,

the certificate fulfillment depends on how you are set up the infrastructure. But the basic certificates required in UCM is Tomcat and CallManager.

If you are running version higher than 8.6 ( i think), you only need to upload the certificate in Publisher node.

 

Optionally depends on your secured setup, you may need to look into IPsec and CAPF.

 

Basically, there are 2 methods to generate the certificates, 

  • Regenerate a certificate - where the Cisco call manager sign the certificate itself (self Signed)
  • Generate a CSR - where it require some CA has to sign the CSR to turn it into a certificate.

Similarly, in CUC, you should be looking at the tomcat certificate. 

 

in both applications, the certificate management is available under Cisco Unified Operating System Administration >> Security >> Certificate Management. 

 

there are plenty of references available, please find some reference as below;

 

CUCM Uploading CCMAdmin Web GUI Certificates

 

High Level View of Certificates and Authorities in CUCM

 

Regards,

Shalid 

Please remember to rate useful posts, by clicking on the stars below.

 

 

0 Helpful

Go to solution
silvervoip
Level 1
Level 1
In response to Shalid Kurunnan Chalil

‎02-02-2019 04:12 AM

Hello Shalid,

Thank you for detailed explanation. However, one more question appeared for me.

If you are running version higher than 8.6 ( i think), you only need to upload the certificate in Publisher node.

Yes, higher than 8.6 so, Will publisher send copy to other subscribers? or storing only on Publisher is enough?

Thank you.

0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to silvervoip

‎02-02-2019 06:58 AM

It is not true that 8.6 allows uploading certs to only one node, you can generate multi-SAN CSR from the Pub that will include all other nodes and then you just sign the single SAN certificate and upload it to the Pub which propagates it to other nodes in the cluster, but I believe that was added in CUCM 10.  If you are getting regular CN certificate you will need to generate the CSR separately on each node and upload to each node the signed cert.

Go to solution
Shalid Kurunnan Chalil
Spotlight
Spotlight
In response to Chris Deren

‎02-04-2019 03:22 AM

Thanks, Chris for the correction. 

 

I read somewhere about it but unfortunately couldn't find it now.  clear about it that as per the docs, from Cisco call manager release 10.5 onwards it support Multi server SAN.

 

"Unified Communications Manager adds support for multiserver certificates which allows the administrator to assign a single certificate for a given certificate unit (for example; Tomcat, CallManager, cup-xmpp, and cup-xmpp-s2s) across multiple servers in a cluster"

 

Regards,

Shalid

 

 

 

 

0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎01-31-2019 05:47 AM

All certificates are important and need not to be expired, some certificates commonly get signed by external CAs and some are left self signed, in any case you should never let any certs externally signed or self-signed to expire. The CUCM security guide goes over the certs in decent details and explains which cert is used for what purpose.

0 Helpful
Customers Also Viewed These Support Documents