Collinks2,

Thank you for the response. I am new to certificates and trying to get up to speed real fast especially in the Cisco world.  I installed and configure an Enterprise Root CA on a MS 2019 Domain Controller. Creating the Tomcat and Call Manager signed certificates was a pretty straight forward process and I was successfully imported them into CUCM a ms certificate for three call managers and IMP.  I also created requests for UCCX Tomcat.

I cannot find straight forward documentation how to duplicate / modify the Microsoft CA Templates to support functionality in Key and Extended Key Usage for cup, cup-xmpp, etc.

The Collaboration environment will be accessible from the Internal network inside.example.com and from the internet side example.com

I took out Cisco TAC cases both for IMP and UCCX which offered a little help steering me towards the right direction. The TAC engineer I worked with said that his cases around certificates where based off them being signed by a public CA (Verisign, Entrust, Digicert)

I looked at all three of the these vendors and looked into there support pages about signing CSR's from Cisco UC applications and didn't find much.

Using a Windows CA on you network is an option. There seems to be decent documentation on duplicating and modifying the Web Server and a couple other templates to replace the CUCM self signed certificates but I haven't found good documentation other UC Applications, CUPS, UCCX, Expressway, CMS, CUC.

How does Verisign, Entrust or Digicert know what Key Usage and Extended Key Usage values need to be set?

Would a wild card ssl certifcate work in this case?

inside.example.com

dmz.example.com

example.com

I just read this message.I didn't get notification on time.

webserver templates can be duplicated and modified to include client authentication.

i was curious to know about public CA.so I ordered commodo multil Wild ssl with SAN. I installed in my cucm lab and it was trusted.I cancelled the order so I could it for the Uc applications that require public access.Uc applications require that the FQDN of the hostname be explicitly defined as Common names (CN) or SAN (Subject Alternative Names)

Using a single wild ssl certificate won't be able to work for the uc clusters unless you order it for each uc application.

i intend to the following .

i will create csr in cms with the addition of expressway as SAN.So I will order wild Ssl with SAN which will trust both cms and expressway.

I will order each ssl for my social miner,jabber guest and uccx finesse.

uccx finesse requires public CA if there are remote Agents

@Nithin Eluvathingal ,Permit me to make use of this medium to ask you a question on the private key and server CA for uccx,,uccx and imp.When a certificate request is generated in cucm,imp or uccx,a Private key is automatically generated.can this privately be exported/downloaded from cucm os?

I want to make use of a mutli wild card Domain with SAN from public CA to trust expressway e,cms,jabber guest,social miner and uccx.

cms has the feature of downloading the csr and it's private key.Expressway e has the option of uploading this private key and the server CA(from the public CA) but social miner ,uccx,jabber guest do not have the option of uploading the private key generated from another server.

my question; Is there a way we can upload a private key generated from another server to uc applications (social miner,uccx,cucm,imp and jabber guest)

No you cannot upload private key to CUCM,IMp and UCCX.

For expressway, yes  you have an option to upload the private key.

There is no need to sign your internal certificates by a pubic CA.

@Nithin,Sorry to bother you on this again.I want to achieve this goal.

i don't want jabber to prompt users to accept certificate when they try to login for the first time.

So I generated tomcat csr and sent to a Public CA.Due to cost implication,I removed the parent domain during the generation of the csr.

I installed the real CA in cucm and imp but jabber is still promoting users to accept the certificates.

Is there something I am missing ?

the webpage is showing trusted 

At a minimum, whatever the CSR generator is suggesting is going to be needed for some reason or another, especially with presence/XMPP.  In some cases, like Expressway certificates, you may have to add things to it. Most of the time the domain shows up in the CSR, and I know it matters for presence but I'm not sure it does for tomcat, for example. It may for CallManager for SIP as it asserts it is responding from some domain.

BTW there is a bug, at least applicable to 12.5SU4, where if you're in mixed mode, the CTL will NOT read the SANs on a CallManager-MS certificate correctly. As always seems to be best practice with these things, its worth attempting a cursory search for bugs and defects before employing something new.

@Adam Pawlowski,

In summary what are the csr to be sent to a Public CA so that Jabber wont prompt the user to accept the certificates?

1. Tomcat

any other one?

AFAIK the only certificate that has to be signed by a public CA is the one for MRA expressway E. For any of the other you can use an internal CA as long as all your clients has the root and if applicable intermediate certificates of the internal CA in their trust store. If this is not possible you’d need to have callmanager, tomcat, MRA E and one of the certs in the IMP, that I’m at the moment can’t recall the name of, signed to stop the clients to throw the warning.

This should be documented in the deployment guide for IMP, or possibly the Jabber deployment guide, I’d recommend you to read these through.

TO stop prompting, the device should have  Root CA who signed your certificate.

All device OS(android, Ios, Mac OS , windows etc)  will include Root CA of few public CA with their OS. But not all public CA root.

-If you signed  your certificate from a provider who's root CA  comes preinstalled with the device, your device wont  prompt you to accept the certificate.

-If you signed  your certificate from a provider who's root CA doesn't comes preinstalled with the device, your device will prompt you to accept the certificate.

Is it prompting that the certificate cannot be trusted or certificate expired ? And for which certificate you saw the prompt.

It is prompting , certificate not valid.The same device is trusting the url : https://cucm-pub-east.domain.com

my internal domain and external domain are the same.

wether private or public CA,the root must exist in the Trust store of the device. The question is that how do we push this root certificate automatically to the trust store of all users. Some customers don't like "certificate warning "

That is a topic that is outside of the scope of this community. How to distribute certificates depends on the type of clients you have, Windows, Mac, iPhones, Android and so on. In short you, or someone else that has the control over the various needed system(s) involved with the distribution of certificates to clients, would need to do their homework to learn how to manage this.