Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
5
Helpful
3
Replies

CUCM Self Signed Cert Resolution

josjackson
Level 1
Level 1

‎01-06-2020 07:29 AM

Question.  Whats the best way to apply CA Approved certs into the call manager cluster? We are not running DNS but will need to enable it for a Jabber migration in the future.  Right now we need to apply CA approved certs into our cluster.

 Should we enable DNS first before puuling CSRs on all our 13 nodes? (Call Manager, IPsec, CAPF, TVS)

Or can we pull CSR's first and then once we receive the certificates we can enable DNS and then apply?

 

I think we should enable DNS first on the cluster via the CLI and let the CUCM cluster auto regenerate the certs.  Then pull the CSR's on all 13 nodes then send over to our POC.

 

Anyone do this before?  I dont need a how to document for steps ( I already have that), im looking more along the lines of enabling DNS on a cluster then certifcates.  Whats best practice?

Labels:
0 Helpful
3 Replies 3

Jaime Valencia
Cisco Employee
Cisco Employee

‎01-06-2020 07:52 AM

It's as you said, you enable DNS and add domains in first place to regenerate the self-signed certificates, deal with the ITL updates, and then you generate your CSR which will automatically pull all the FQDNs from your cluster, and the deal with ITL again.

HTH

java

if this helps, please rate
0 Helpful

josjackson
Level 1
Level 1
In response to Jaime Valencia

‎01-06-2020 09:58 AM

Thanks for the verification.

Once we enable DNS and check our hostnames, I believe we need CSR's from each node and each service (Call Manager, IPsec, TVS and CAPF), however, CAPF CSR only needs to be pulled from the publisher corrrect?

So for 13 nodes

13 Cal Manager CSR's

13 TVS

13 IPSec

1 CAPF (From Publisher only)

 

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to josjackson

‎01-06-2020 10:40 AM

Depending on your version you can get multi-SAN for several certificates, you can do that right now to see how it works and even generate the CSR, it won't disrupt anything. Once you've modified your DNS and domains to how it will actually be, you can simply regenerate the CSR and then have it signed.

HTH

java

if this helps, please rate
Customers Also Viewed These Support Documents