Re: CUCM Self Signed Cert Resolution

josjackson · ‎01-06-2020

Question. Whats the best way to apply CA Approved certs into the call manager cluster? We are not running DNS but will need to enable it for a Jabber migration in the future. Right now we need to apply CA approved certs into our cluster.

Should we enable DNS first before puuling CSRs on all our 13 nodes? (Call Manager, IPsec, CAPF, TVS)

Or can we pull CSR's first and then once we receive the certificates we can enable DNS and then apply?

I think we should enable DNS first on the cluster via the CLI and let the CUCM cluster auto regenerate the certs. Then pull the CSR's on all 13 nodes then send over to our POC.

Anyone do this before? I dont need a how to document for steps ( I already have that), im looking more along the lines of enabling DNS on a cluster then certifcates. Whats best practice?

Jaime Valencia · ‎01-06-2020

It's as you said, you enable DNS and add domains in first place to regenerate the self-signed certificates, deal with the ITL updates, and then you generate your CSR which will automatically pull all the FQDNs from your cluster, and the deal with ITL again.

HTH

java

if this helps, please rate

josjackson · ‎01-06-2020

Thanks for the verification.

Once we enable DNS and check our hostnames, I believe we need CSR's from each node and each service (Call Manager, IPsec, TVS and CAPF), however, CAPF CSR only needs to be pulled from the publisher corrrect?

So for 13 nodes

13 Cal Manager CSR's

13 TVS

13 IPSec

1 CAPF (From Publisher only)

Jaime Valencia · ‎01-06-2020

Depending on your version you can get multi-SAN for several certificates, you can do that right now to see how it works and even generate the CSR, it won't disrupt anything. Once you've modified your DNS and domains to how it will actually be, you can simply regenerate the CSR and then have it signed.

HTH

java

if this helps, please rate