cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
15
Helpful
7
Replies

CUCM + IM&P certificate guide needed

Liv_Liv
Level 1
Level 1

Hi, 

we are in the process of upgrading a v10.5.2 CUCM and IM&P cluster to v11.5. 

CUCM is Pub + Sub, and IM&P is a single standalone server.

 

Prior to the upgrade we need to renew all CUCM + IM&P certificates as they are all expired. Also they are currently self-signed and we wish to move to external CA-signed certificates. 

 

We were not able to find a clear guide with the steps we need to follow on each one of the servers in our cluster in order to know which are the essential certificates we need to get signed by a CA (tomcat?ipsec?capf? all of them?) where to get them, where to upload them once signed (the trust ones on IM&P, etc...) and what service(s) need to be restarted after that. 

 

There are plenty of security guides, installation and administration guides for this products but we weren´t able to locate the essential info for our case. 

 

Is anybody here able to shed some light on what exact steps we need to follow?

 

thanks in advance.

7 Replies 7

Have a look at this document that I just published about this as this is a quite common topic that people asks about. https://community.cisco.com/t5/collaboration-voice-and-video/cisco-uc-certificates-renewal-guide/ta-p/4077131



Response Signature


Roger, 

let me thank you for publishing such an instructive and complete document. 

Yes I do agree with you, certificates topic is something that very few people fully understand. From my point of view Cisco should provide a similar guide to the one you just wrote. 

I will go ahead and read it carefully, if after that I still have questions I will post them in this topic. 

Again, thank you very much for your help and dedication for this community. 

Your very welcome, glad that you find it useful. Please let me know if you have any further questions.



Response Signature


Hi again Roger,

It took me some time to fully read your guide but it was definitely helpful, I specially appreciated the detailed steps in providing which exact services need to restarted for each certificate, as well as the sequence to follow in all steps. This is much clear now.

I´ve still got some questions regarding our current environment that I´d like to clarify with you if you don´t mind.

 

Regarding CUCM certificates: 

- Considering we wish to move from auto-self signed certs to external CA signed certs, are CallManager and Tomcat the only ones that can be sent to and signed by an external CA? So can we just regenerate the remaining others on our own?

- Is CAPF the only one that needs manual deletion?

- Currently, all of our certificates are expired in both CUCM and IM&P servers. This means, each one of them... so is there any particular order to follow on the renewal that you would recommend? I mean, f.e if it´s better to start by regenerating Tomcat and then CAPF, etc... 

- The big dilemma we have is to cause the minimum service disruption to our customer. I understand cert regeneration + deletion + services and phones restarts should be all done in a maintenance window but what about the time gap between generating a CSR and getting it signed by an external CA? It will take us a minimum of a couple of days to get the file back...so, Is it safe for the cluster to generate a CSR, send it to the CA and leave the servers with the new generated CSR for a certain period of time before uploading the signed ones? Would the old CSR be overwritten in all cases or should this happen only if the servers are restarted/rebooted?

 

Regarding IM&P certificates: 

- is CUP-XMPP the only critical cert on IM&P? is CUP-XMPP the only one that can be signed by an external CA? 

- If CUP, Tomcat, IPSEC, etc...are critical as well for IM&P, then should we follow the exact same instructions you explained for CUCM certs?

 

And finally: 

- is there any certificate that after being signed/regenerated needs to be uploaded manually somewhere in a CUCM + IM&P cluster, or do they all automatically get populated between them?

 

Hope my questions make some sense to you. Please if you need more detail or extra clarification just ask. Again, thank you for such a wonderful guide and for taking your time in reading me. I really feel like I´m beginning to understand this topic!!


@Liv_Liv wrote:

Regarding CUCM certificates: 

- Considering we wish to move from auto-self signed certs to external CA signed certs, are CallManager and Tomcat the only ones that can be sent to and signed by an external CA? So can we just regenerate the remaining others on our own?


Yes this is correct.


@Liv_Liv wrote:

- Is CAPF the only one that needs manual deletion?


Yes only CAPF certificates that are expired need manual deletion.


@Liv_Liv wrote:

- Currently, all of our certificates are expired in both CUCM and IM&P servers. This means, each one of them... so is there any particular order to follow on the renewal that you would recommend? I mean, f.e if it´s better to start by regenerating Tomcat and then CAPF, etc... 


Being in your state with all expired certificates is not at all good. The important thing to keep in mind is that phones has to pickup new certificates in-between you renew TVS and CallManager certificates. If this is not followed you will get into big problems with phones not trusting your CUCM's and will not accept any configuration changes.


@Liv_Liv wrote:

- The big dilemma we have is to cause the minimum service disruption to our customer. I understand cert regeneration + deletion + services and phones restarts should be all done in a maintenance window but what about the time gap between generating a CSR and getting it signed by an external CA? It will take us a minimum of a couple of days to get the file back...so, Is it safe for the cluster to generate a CSR, send it to the CA and leave the servers with the new generated CSR for a certain period of time before uploading the signed ones? Would the old CSR be overwritten in all cases or should this happen only if the servers are restarted/rebooted?


From my experience there is no impact to the service from generation the CSR, anyway as long as you don't restart any of the affected services.


@Liv_Liv wrote:

Regarding IM&P certificates: 

- is CUP-XMPP the only critical cert on IM&P? is CUP-XMPP the only one that can be signed by an external CA? 

- If CUP, Tomcat, IPSEC, etc...are critical as well for IM&P, then should we follow the exact same instructions you explained for CUCM certs?


In IM&P if memory serve me the only critical certificate is CUP-XMPP and not all of the other would even exist in this system. For sure Tomcat would and for that you can follow the same outline as for CUCM.


@Liv_Liv wrote:

And finally: 

- is there any certificate that after being signed/regenerated needs to be uploaded manually somewhere in a CUCM + IM&P cluster, or do they all automatically get populated between them?


The CA root certificates needs do be uploaded to the appropriate trust store. Apart from that I don't think there would be any need to manually upload any certificates, that is if you sign them with the same CA.



Response Signature


Hi again Roger, 

I do apologize for my late response, we are in a period of high work overload. 

Thank you again for taking your time in answering my questions, this is much clear now. 

 

So I think the only doubt I still have is regarding IM&P certificates. 

You said that the only critical certificate in IM&P is CUP-XMPP, and that for IM&P Tomcat and CUP certs we should follow the same outline than for CUCM. So should we sign Tomcat and CUP with an external CA as well (we are still talking about IM&P certs). 

This is because we would like to know which exact certificates can be signed by an external CA on CUCM and IM&P. For CUCM, this is clear know. For IM&P we still need to make it sure.

 

Again thank you for your time and please apologize me for all those confusing questions...


@Liv_Liv wrote:

So I think the only doubt I still have is regarding IM&P certificates. 

You said that the only critical certificate in IM&P is CUP-XMPP, and that for IM&P Tomcat and CUP certs we should follow the same outline than for CUCM. So should we sign Tomcat and CUP with an external CA as well (we are still talking about IM&P certs). 


The Tomcat certificate on IM&P is the same as for CUCM. When it's renewed on the Pub CM it will also be distributed to IM&P nodes in the CM/IM&P cluster.

By external CA do you mean a public CA? If so there might depending on your setup be no need to sign these certificates with a public CA. You should be able to use an internal CA as long as the clients that will connect have the root and if applicable intermediate certificates for the internal CA in it's trust store. What you do need to sign with a public CA is the certificate for MRA E if you use that.


@Liv_Liv wrote:

This is because we would like to know which exact certificates can be signed by an external CA on CUCM and IM&P. For CUCM, this is clear know. For IM&P we still need to make it sure.


Even if a certificate can be signed by a CA it doesn't necessarily mean that you have to sign it. You might be as well of by using a self-signed certificate. One good example of this is the cup certificate on IM&P. It can be signed by a CA, but works equal well as a self-signed.

Snag_148dc5a.png
All of the above certificates can be signed in CUCM. But only tomcat and CallManager needs to be signed by a CA to stop the warnings seen in for example Jabber.

Snag_14a944b.png
All of the above certificates can be signed in IM&P. But only cup-xmpp and tomcat (is the same certificate as for CUCM) needs to be signed by a CA to stop the warnings seen in for example Jabber.



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: