Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5420
Views
0
Helpful
5
Replies

VCS-control CSR generate.

Go to solution
yeruel77
Level 1
Level 1

‎07-21-2016 11:46 AM - edited ‎03-19-2019 11:22 AM

Hi Cisco support community.

I want to integrate cucm WITH vcs-c for internal LAN MAR access. 

I faced problem. i just used two method to generate CSR and create certificate.

1. Generate CSR from VCS-C and trying to authenticate using Microsoft Certificate Authenticate by deploy AD CS. then I Submit the request to certificate server. I got Private key and certcer  cer files and rename to pem files. after all steps i just tried to upload to VCS-C but it is not valid. Invalid private key: The file provided is not a valid X.509 private key file.

2. i used DC CS to generate CSR and submit. got files. tried to upload to VCS-C. the same result. Invalid private key: The file provided is not a valid X.509 private key file.

Please any help? i am doing implementation project right now.

1 person had this problem
Labels:
Preview file
42 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎07-21-2016 02:22 PM

You're definitely doing wrong, or not explaining properly.

If you generate the CSR on VCS-C, you don't get to see the private key, or do anything with it, you just get the CSR and then you need to upload it after it has been signed.

If you generate the CSR AND key with something like openssl, THEN you need to upload both of them, with the option below generate CSR.

This is fairly straight forward

A) Generate CSR on VCS, have it signed, upload it

B) Generate CSR AND key offline, sign CSR, upload cert and key.

There is a whole doc in the VCS documentation regarding certificate generation, have you reviewed it?? If you haven't, you need to review it before anything else.

HTH

java

if this helps, please rate

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎07-21-2016 02:22 PM

You're definitely doing wrong, or not explaining properly.

If you generate the CSR on VCS-C, you don't get to see the private key, or do anything with it, you just get the CSR and then you need to upload it after it has been signed.

If you generate the CSR AND key with something like openssl, THEN you need to upload both of them, with the option below generate CSR.

This is fairly straight forward

A) Generate CSR on VCS, have it signed, upload it

B) Generate CSR AND key offline, sign CSR, upload cert and key.

There is a whole doc in the VCS documentation regarding certificate generation, have you reviewed it?? If you haven't, you need to review it before anything else.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
yeruel77
Level 1
Level 1
In response to Jaime Valencia

‎07-22-2016 04:56 AM

Hi Jamie. Thank you.

I tried to generate CSR on VCS, and have it signed , and upload it. but it the result is invalid. as below

"Invalid certificate: The certificate provided does not meet the requirements for authenticating a client. The certificate must be able to authenticate the VCS as a client or as a server. If you are setting the purpose of the certificate to SSL Client, then: the extended key usage extension must either be absent or, if present, it must contain the client authentication OID; the key usage extension must either be absent or, if present, the digitalSignature bit must be set." so what can i do?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to yeruel77

‎07-22-2016 06:49 AM

The error you got, and the MRA documentation explain what is wrong:

Installing VCS Security Certificates You must set up trust between the VCS Control and the VCS Expressway: 1. Install a suitable server certificate on both the VCS Control and the VCS Expressway. — The certificate must include the Client Authentication extension. The system will not allow you to upload a server certificate without this extension when Unified Communications features have been enabled. — The VCS includes a built-in mechanism to generate a certificate signing request (CSR) and is the recommended method for generating a CSR: • Ensure that the CA that signs the request does not strip out the client authentication extension.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-8/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-8.pdf

https://www.youtube.com/watch?v=FIqh3rSIUmA&index=7&list=PLFuOESqSTxEvZChqWgAJanctohRMe99CR

HTH

java

if this helps, please rate
0 Helpful

Go to solution
yeruel77
Level 1
Level 1
In response to Jaime Valencia

‎07-25-2016 01:53 AM

Thank you very much.

After many trial. I removed AD CS and Reinstall AD CS with enterprise mode. 

thank you bro for your willing. 

0 Helpful

Go to solution
yeruel77
Level 1
Level 1
In response to yeruel77

‎07-26-2016 01:29 AM

Hi Jaime,

I faced one problem. please help me. two things doing. 

1.Add Self-Signed Certificate from CUCM Server to VCS Server it was success

2. Upload Certificate from VCS Server to CUCM Server is not success.

the status indicated.

Certificate is valid only between Tue July 26 EAT 2016 and Thu Jul 26 EAT 2018. 

and the status of SIP is fail. SIP TLS negotiations failure. what i can i do? 

0 Helpful
Customers Also Viewed These Support Documents