Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
15
Helpful
5
Replies

CUCM - CA signed / Self signed certificates

JohnyeS
Level 1
Level 1

‎01-31-2022 03:55 AM - edited ‎01-31-2022 03:58 AM

Hello All,

 

I am trying to understand the certificates Cisco voice servers use.

 

I understand how a CA signs a certificate and that CA Certificate - Root certificate needs to be uploaded as a -trust i.e. tomcat-trust.

 

My confusion comes from self-signed certificates and that, for example when watching TAC videos i.e. https://www.youtube.com/watch?v=FIqh3rSIUmA why after the CSR its uploaded to private CA authority, signed by a CA - 1st Certificate for Tomcat and 2nd is Root CA. Why does the CA certificate (root certificate)  says its self-signed? https://youtu.be/FIqh3rSIUmA?t=689

Labels:
0 Helpful
5 Replies 5

b.winter
VIP
VIP

‎01-31-2022 04:00 AM - edited ‎01-31-2022 04:02 AM

As the word "Root" implies, it is the "highest" possible entity in the chain.

Since it's the highest, there is no other CA above it, that signs the certificate of the Root-CA.

Therefore, a Root-CA is always a self-signed certificate per definition, which "signs" it's own certificate.

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Nithin Eluvathingal
VIP
VIP

‎01-31-2022 04:01 AM - edited ‎01-31-2022 04:18 AM

Self signed Certificate:- if the sever itself signs the certificate its a self signed certificate.

 

CA signed:- you generate the CSR, send it to CA( either internal or external). they sign it and send you the certificate with root certificate and intermediate if available.  You upload the Root and intermediate to trust and upload the server certificate.

 

 

Why does the CA certificate (root certificate) says its self-signed? Because Root is not signed by any other CA. its a self signed.



Response Signature


0 Helpful

JohnyeS
Level 1
Level 1
In response to Nithin Eluvathingal

‎01-31-2022 04:19 AM

Hello Nithin,

 

thank you very much for your answer.

 

So that means the self-signed certificate will be still only Root or intermediate as they have “signed themselves” as they are the highest in the cert chain?

 

and that, CSR will be still CA signed as Root or Intermediate CA entity signed them? 

is that explanation correct, please?

0 Helpful

b.winter
VIP
VIP
In response to JohnyeS

‎01-31-2022 04:33 AM

Only the Root-CA is self-signed, or a server that has no CA-signed certificate.

An intermediate CA has a CA-signed certificate, as it is "under" the Root-CA but higher than the server certificate.

Root-CA --> Intermediate-CA --> Server

Root-CA signs the cert of the intermediate CA

Intermediate CA signs the cert of the server

 

Based on the CSR of a Server, you get a CA-signed certificate (either Root or intermediate) back, that corresponds to the CSR.

Nithin Eluvathingal
VIP
VIP
In response to JohnyeS

‎01-31-2022 04:41 AM - edited ‎01-31-2022 04:43 AM

Intermediate will be signed by the root.


if intermediate Is used, intermediate will sign the sever certificate.

 

Double click on the certificate, and you will see certification path. It gives you more viability how it’s signed.


In the below example starfield class two is root CA. And Delear central is the server certificate.

the other two is intermediate.

 

 

F8D38FB6-1148-49A7-9041-7D0074DDEA7E.jpeg

 



Response Signature


0 Helpful
Customers Also Viewed These Support Documents