Solved: Re: Question about Cisco UC Multi-Server Certificates

Giovanni Ceci · ‎01-30-2020

Hello CSC, I haven't been able to find any documentation on this, which is why I'm asking here.

Our customer is looking to renew the certificates for their suite of Cisco UC products that include: CUCM, IM&P, Unity Connection, and UCCX. They would like to consolidate all the server FQDNs for all these servers into one single certificate, however, I'm not sure if this would work. I know wildcard certificates are not supported.

So my question is: If I create a Multi-Server CSR on CUCM and add SAN entries for the FQDNs of IM&P, Unity Connection and UCCX servers, would I be able to install the received signed certificate on all those other servers?

Here's the versions we're running:

CUCM/IM&P: 11.5.1.16900-16

Unity Connection: 10.5.2.14901-1

UCCX: 10.6.1.11002-15

Thanks,

John

Jaime Valencia · ‎01-30-2020

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

View solution in original post

Chris Deren · ‎02-01-2020

Yes, every certificate type is different certificate store and uses different cert. If your requirements are to sign all of them, then you need to generate CSR and sign each one separately. Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed. Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc. CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.

View solution in original post

Jaime Valencia · ‎01-30-2020

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

Giovanni Ceci · ‎01-30-2020

Thanks for the quick response Jaime! One follow-up question to that point:

When I create a CSR, (for example, on CUCM) do I have to create one CSR for each type of profile (i.e tomcat, ipsec, Callmanager), or can I create one CSR and upload it to all those services?

Thanks,

John

Chris Deren · ‎02-01-2020

Yes, every certificate type is different certificate store and uses different cert. If your requirements are to sign all of them, then you need to generate CSR and sign each one separately. Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed. Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc. CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.

Giovanni Ceci · ‎02-01-2020

Thanks Chris! Much appreciated!