ā01-25-2016 01:35 AM - edited ā03-19-2019 10:38 AM
hi
we are just finishing an upgrading from CUCM 8.6.4 and CUPS (8.6.5) and CUC 8.6 to CUCM/CUPS/CUC 10.5.(2?) and have a question about SSL certificates
we generated separate signing request for
CUCM (publisher)
tomcat
CUPS
tomcat
cup-xmmp
CUC
tomcat
for cup-xmpp we had to use a SAN signing request as it needed the domain.com name as well
so that is 4 standard SSL certificates and 1 SAN certificate, with godaddy that is still quite a bit of money
The Jabber clients (11.5) are still not 100% happy as it is also showing a SSL issue with the CUCM-subs (so we need a certificate for that one too) and there is a configuration issue as it is also asking for cups-pub (without domain name) SSL certificate
is it possible to generate 1 SAN SSL certificate for all these services,
cucm-pub.domain.com
cucm-sub.domain.com
cups-pub.domain.com (both tomcat and cup-xmmp)
cuc.domain.com
get it signed by Goddady (or other provider) and upload?
We also have 2 certificates for the edgeway core and edge (and those seem to be working fine so will leave that out of the equation for now)
Many thanks
ā01-25-2016 02:09 AM
You can generate single CSR using SAN but that will only be applicable for CUCM and CUPS. For Unity Connection, you will still need to be issue a separate CSR.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html
Regards
Deepak
ā01-25-2016 04:22 AM
Not quite. Each CSR must be separated CA-signed and installed on it's intended node with the exception of the multi-server cert now supported on CUCM 10. For the same reason you cannot use a wildcard certificate because none of the products support being given the private key.
Other than the multi-server cert your only approach is to see if a CA will allow you to regenerate (without revoking) the same cert multiple times with additional CN/SANs. I have one coworker who does this with I believe Thawte. Personally I think it's a bad idea and a bastardization of how certs are supposed to work but sometimes the only thing people care about is the cost. This approach has at least there obvious downsides: 1) if you need to revoke one cert you just did it for your entire collab infrastructure; 2) the cert has SANs for your entire solution allowing a compromised component to impersonate another or allowing an attacker to easily discover the entire solution; 3) good luck convincing TAC that a dozen SANs is supported. There are several caveats over the years about the size of a cert needing to be under specific KB in size to fit on the phone firmware. Usually this cropped up with MS CAs who would add a ton of OIDs with Microsoft-Centric stuff. Eventually you learn that coloring outside the lines of what Cisco intended/assumed is more trouble than it's worth.
All of the subscribers in the cluster need the same certs. CUCM, CUC, IM&P, etc.
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide