cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
406
Views
10
Helpful
4
Replies
Highlighted
Beginner

Question about Cisco UC Multi-Server Certificates

Hello CSC, I haven't been able to find any documentation on this, which is why I'm asking here.

 

Our customer is looking to renew the certificates for their suite of Cisco UC products that include: CUCM, IM&P, Unity Connection, and UCCX. They would like to consolidate all the server FQDNs for all these servers into one single certificate, however, I'm not sure if this would work. I know wildcard certificates are not supported. 

 

So my question is: If I create a Multi-Server CSR on CUCM and add SAN entries for the FQDNs of IM&P, Unity Connection and UCCX servers, would I be able to install the received signed certificate on all those other servers? 

 

Here's the versions we're running:

CUCM/IM&P: 11.5.1.16900-16

Unity Connection: 10.5.2.14901-1

UCCX: 10.6.1.11002-15

 

Thanks,

 

John

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

 

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

View solution in original post

Highlighted

Yes, every certificate type is different certificate store and uses different cert.  If your requirements are to sign all of them, then you need to generate CSR and sign each one separately.  Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed.  Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc.  CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.  

View solution in original post

4 REPLIES 4
Highlighted
Hall of Fame Cisco Employee

Nope, the CSR is generated in each product, and the matching key is not accesible. Nor any of the products provide an option to upload a signed CSR + key, they only provide an option to upload the signed CSR and then match to the key that was generated and is kept in the system.

 

The "exception" would be CUCM + IM&P as they're now part of the same cluster and the multi-san CSR option will be available for certificates that allow such option, and will be pre-populated with the right entries. Not all certificates allow multi-san CSR, the wizard will either have the option or not.

HTH

java

if this helps, please rate

View solution in original post

Highlighted

Thanks for the quick response Jaime! One follow-up question to that point:

When I create a CSR, (for example, on CUCM) do I have to create one CSR for each type of profile (i.e tomcat, ipsec, Callmanager), or can I create one CSR and upload it to all those services?

Thanks,

John
Highlighted

Yes, every certificate type is different certificate store and uses different cert.  If your requirements are to sign all of them, then you need to generate CSR and sign each one separately.  Keep in mind not all certs need to be signed by external CA, as most customers dont have requirements to that leaving them as self-signed.  Tomcat is by far the most common one that is getting signed as that is your web server cert validated by web browsers, Jabber, etc.  CallManager cert is another one commonly signed as there are some benefits of it depending on your environment.  

View solution in original post

Highlighted

Thanks Chris! Much appreciated!