Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2669
Views
10
Helpful
4
Replies

Question about Cisco UC Multi-Server Certificates

Go to solution
Giovanni Ceci
Level 1
Level 1

‎01-30-2020 10:54 AM - edited ‎01-30-2020 11:00 AM

Hello CSC, I haven't been able to find any documentation on this, which is why I'm asking here.

 

Our customer is looking to renew the certificates for their suite of Cisco UC products that include: CUCM, IM&P, Unity Connection, and UCCX. They would like to consolidate all the server FQDNs for all these servers into one single certificate, however, I'm not sure if this would work. I know wildcard certificates are not supported. 

 

So my question is: If I create a Multi-Server CSR on CUCM and add SAN entries for the FQDNs of IM&P, Unity Connection and UCCX servers, would I be able to install the received signed certificate on all those other servers? 

 

Here's the versions we're running:

CUCM/IM&P: 11.5.1.16900-16

Unity Connection: 10.5.2.14901-1

UCCX: 10.6.1.11002-15

 

Thanks,

 

John

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎01-30-2020 11:12 AM

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

 

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

View solution in original post

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to Giovanni Ceci

‎02-01-2020 09:59 AM

Yes, every certificate type is different certificate store and uses different cert.  If your requirements are to sign all of them, then you need to generate CSR and sign each one separately.  Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed.  Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc.  CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.  

View solution in original post

4 Replies 4

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎01-30-2020 11:12 AM

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

 

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

Go to solution
Giovanni Ceci
Level 1
Level 1
In response to Jaime Valencia

‎01-30-2020 11:24 AM

Thanks for the quick response Jaime! One follow-up question to that point:

When I create a CSR, (for example, on CUCM) do I have to create one CSR for each type of profile (i.e tomcat, ipsec, Callmanager), or can I create one CSR and upload it to all those services?

Thanks,

John
0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to Giovanni Ceci

‎02-01-2020 09:59 AM

Yes, every certificate type is different certificate store and uses different cert.  If your requirements are to sign all of them, then you need to generate CSR and sign each one separately.  Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed.  Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc.  CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.  

Go to solution
Giovanni Ceci
Level 1
Level 1
In response to Chris Deren

‎02-01-2020 02:50 PM

Thanks Chris! Much appreciated!
0 Helpful
Top