- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 10:54 AM - edited 01-30-2020 11:00 AM
Hello CSC, I haven't been able to find any documentation on this, which is why I'm asking here.
Our customer is looking to renew the certificates for their suite of Cisco UC products that include: CUCM, IM&P, Unity Connection, and UCCX. They would like to consolidate all the server FQDNs for all these servers into one single certificate, however, I'm not sure if this would work. I know wildcard certificates are not supported.
So my question is: If I create a Multi-Server CSR on CUCM and add SAN entries for the FQDNs of IM&P, Unity Connection and UCCX servers, would I be able to install the received signed certificate on all those other servers?
Here's the versions we're running:
CUCM/IM&P: 11.5.1.16900-16
Unity Connection: 10.5.2.14901-1
UCCX: 10.6.1.11002-15
Thanks,
John
Solved! Go to Solution.
- Labels:
-
Unified Communications
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 11:12 AM
Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.
The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.
java
if this helps, please rate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2020 09:59 AM
Yes, every certificate type is different certificate store and uses different cert. If your requirements are to sign all of them, then you need to generate CSR and sign each one separately. Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed. Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc. CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 11:12 AM
Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.
The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.
java
if this helps, please rate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 11:24 AM
When I create a CSR, (for example, on CUCM) do I have to create one CSR for each type of profile (i.e tomcat, ipsec, Callmanager), or can I create one CSR and upload it to all those services?
Thanks,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2020 09:59 AM
Yes, every certificate type is different certificate store and uses different cert. If your requirements are to sign all of them, then you need to generate CSR and sign each one separately. Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed. Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc. CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2020 02:50 PM
