Showing results for 
Search instead for 
Did you mean: 

Kyle Sullivan

Trusted Certificates for Call Manager and UC Applications

I need some guidance on a Public CA and which type of certificate to purchase to for internal and public domains for Call Manager, IMP, UCCX, etc.



This is a very interesting thread.

You may look at multi server san in cucm.Once you generate the csr,you send it to the Public CA.When you receive the server CA ,install it in cucm and it will trust imp. But do you really need public CA for cucm and imp? you can make use of windows server CA for cucm and imp since they are internal.


For Uccx,you need a public CA since you may have remote Agent to access finesse and customers to use a web chat (social miner)

In  summary,those server that need to be accessible from the internet require public CA while those that are accessible from the internal network do not require public CA(optional) but internal CA(Microsoft Active Directory CA)

Expressway E require public CA

Cisco Meeting server webbridge url require public CA

Cisco Jabber Guest require public CA et al











Thank you for the response. I am new to certificates and trying to get up to speed real fast especially in the Cisco world.  I installed and configure an Enterprise Root CA on a MS 2019 Domain Controller. Creating the Tomcat and Call Manager signed certificates was a pretty straight forward process and I was successfully imported them into CUCM a ms certificate for three call managers and IMP.  I also created requests for UCCX Tomcat.


I cannot find straight forward documentation how to duplicate / modify the Microsoft CA Templates to support functionality in Key and Extended Key Usage for cup, cup-xmpp, etc.

The Collaboration environment will be accessible from the Internal network and from the internet side


I took out Cisco TAC cases both for IMP and UCCX which offered a little help steering me towards the right direction. The TAC engineer I worked with said that his cases around certificates where based off them being signed by a public CA (Verisign, Entrust, Digicert)

I looked at all three of the these vendors and looked into there support pages about signing CSR's from Cisco UC applications and didn't find much.

Using a Windows CA on you network is an option. There seems to be decent documentation on duplicating and modifying the Web Server and a couple other templates to replace the CUCM self signed certificates but I haven't found good documentation other UC Applications, CUPS, UCCX, Expressway, CMS, CUC.


How does Verisign, Entrust or Digicert know what Key Usage and Extended Key Usage values need to be set?


Would a wild card ssl certifcate work in this case?



I just read this message.I didn't get notification on time.

webserver templates can be duplicated and modified to include client authentication.

i was curious to know about public I ordered commodo multil Wild ssl with SAN. I installed in my cucm lab and it was trusted.I cancelled the order so I could it for the Uc applications that require public access.Uc applications require that the FQDN of the hostname be explicitly defined as Common names (CN) or SAN (Subject Alternative Names)

Using a single wild ssl certificate won't be able to work for the uc clusters unless you order it for each uc application.

i intend to the following .

i will create csr in cms with the addition of expressway as SAN.So I will order wild Ssl with SAN which will trust both cms and expressway.

I will order each ssl for my social miner,jabber guest and uccx finesse.

uccx finesse requires public CA if there are remote Agents


Nithin Eluvathingal
VIP Advisor

if your internal and external domain are same, you can sign your internal certificate using a public CA. if you internal domain is different and this domain exist only in your internal network  , Public CA wont sign the certificate.


Public CA signs certificates for domains which are publicly available and can be trusted.


We normally sign internal certificates using Internal CA, not just for the above case. But also to save some amount. Signing certificates using public CA has cost involved.


You CUCM,IM,UCCX certificates can be signed using an internal CA.


Services which are accessed from internet  MUST use Public CA signed certificate.



Refer below Video to learn  how to sign a UC application using Microsoft CA..



Response Signature

@Nithin Eluvathingal ,Permit me to make use of this medium to ask you a question on the private key and server CA for uccx,,uccx and imp.When a certificate request is generated in cucm,imp or uccx,a Private key is automatically generated.can this privately be exported/downloaded from cucm os?


I want to make use of a mutli wild card Domain with SAN from public CA to trust expressway e,cms,jabber guest,social miner and uccx.


cms has the feature of downloading the csr and it's private key.Expressway e has the option of uploading this private key and the server CA(from the public CA) but social miner ,uccx,jabber guest do not have the option of uploading the private key generated from another server.


my question; Is there a way we can upload a private key generated from another server to uc applications (social miner,uccx,cucm,imp and jabber guest)









No you cannot upload private key to CUCM,IMp and UCCX.


For expressway, yes  you have an option to upload the private key.


There is no need to sign your internal certificates by a pubic CA.


Response Signature

@Nithin,Sorry to bother you on this again.I want to achieve this goal.

i don't want jabber to prompt users to accept certificate when they try to login for the first time.

So I generated tomcat csr and sent to a Public CA.Due to cost implication,I removed the parent domain during the generation of the csr.

I installed the real CA in cucm and imp but jabber is still promoting users to accept the certificates.

Is there something I am missing ?

the webpage is showing trusted 

At a minimum, whatever the CSR generator is suggesting is going to be needed for some reason or another, especially with presence/XMPP.  In some cases, like Expressway certificates, you may have to add things to it. Most of the time the domain shows up in the CSR, and I know it matters for presence but I'm not sure it does for tomcat, for example. It may for CallManager for SIP as it asserts it is responding from some domain.


BTW there is a bug, at least applicable to 12.5SU4, where if you're in mixed mode, the CTL will NOT read the SANs on a CallManager-MS certificate correctly. As always seems to be best practice with these things, its worth attempting a cursory search for bugs and defects before employing something new.

@Adam Pawlowski,

In summary what are the csr to be sent to a Public CA so that Jabber wont prompt the user to accept the certificates?

1. Tomcat

any other one?


AFAIK the only certificate that has to be signed by a public CA is the one for MRA expressway E. For any of the other you can use an internal CA as long as all your clients has the root and if applicable intermediate certificates of the internal CA in their trust store. If this is not possible you’d need to have callmanager, tomcat, MRA E and one of the certs in the IMP, that I’m at the moment can’t recall the name of, signed to stop the clients to throw the warning.

This should be documented in the deployment guide for IMP, or possibly the Jabber deployment guide, I’d recommend you to read these through.

Response Signature

TO stop prompting, the device should have  Root CA who signed your certificate.

All device OS(android, Ios, Mac OS , windows etc)  will include Root CA of few public CA with their OS. But not all public CA root.

-If you signed  your certificate from a provider who's root CA  comes preinstalled with the device, your device wont  prompt you to accept the certificate.

-If you signed  your certificate from a provider who's root CA doesn't comes preinstalled with the device, your device will prompt you to accept the certificate.


Is it prompting that the certificate cannot be trusted or certificate expired ? And for which certificate you saw the prompt.




Response Signature

It is prompting , certificate not valid.The same device is trusting the url :

my internal domain and external domain are the same.

wether private or public CA,the root must exist in the Trust store of the device. The question is that how do we push this root certificate automatically to the trust store of all users. Some customers don't like "certificate warning "


That is a topic that is outside of the scope of this community. How to distribute certificates depends on the type of clients you have, Windows, Mac, iPhones, Android and so on. In short you, or someone else that has the control over the various needed system(s) involved with the distribution of certificates to clients, would need to do their homework to learn how to manage this.

Response Signature

OK.It is windows and I am the one managing it. This is why I need a public
CA. If the client can trust the browser when a users enters the url of the
call Manager,it means that device has the root CA.
Accoding to your previous response,I need tomcat,call manager and xmpp
Recognize Your Peers
Content for Community-Ad