Solved: Call Manager Certificates- Self-Signed vs. CSR

salvage210 · ‎10-05-2022

Running CUCM 11.5.1(17900-52)

I am in the process of connecting Cisco Media Server to our Call Manager. I realize that the documentation states that generating new certificates signed by a CA isn't strictly necessary but my company insists on proceeding down this path.

I generated the Call Manager CSR and provided it to the CA. He returned a new certificate to me. I received the error: "The CSR SAN does not match the certificate SAN." I noticed that the CA signed certificate file extension is .CRT where the old Self-signed certificate is a .PEM.

I also observed that in the Certificate Upload GUI, when I select "Certificate Purpose" and select "Call Manager" under "Description(Friendly name)" it defaults to "Self-Signed Certificate" and I cannot change it. I'm not using a self-signed certificate.

Per the CMS Deployment Guide, I did successfully generate a CSR for the Root Certificate and that cert which was provided by the CA uploaded successfully. It is only the Call Manager certificate that will not upload.

b.winter · ‎10-06-2022

I doesn't change anything on my end. But we probably have different versions.
But I doubt, that this is a "real" problem anyway. It probably is just cosmetic. I mean, as you said you get an error when uploading the certificate, you confirmed with that, that you are able to press the upload button and upload the cert. So, I don't see a problem with that.

View solution in original post

b.winter · ‎10-06-2022

Have you compared the entries in the CSR with the entries in the certificate?
Maybe the CA is manipulating some fields when issuing the certificate and then some fields are not as CUCM expects them.

salvage210 · ‎10-06-2022

I've just learned that the CA is definitely not doing something correctly. We'll straighten that out.

In the meantime, can anyone please explain why when I go to upload ANY Call Manager certificate, my only option is "self-signed?" I'm trying to upload a certificate from a CA, not a certificate generated and self-signed by the Call Manager server itself.

b.winter · ‎10-06-2022

Ok.
A CA-certificate and certificates of other servers need to be uploaded to the trust store, so everything ending with "-trust", e.g. callmanager-trust or tomcat-trust.

If you have a certificate, that is intended for a service of CUCM, then you upload it to the section without "-trust", e.g. if you have the certificate for the callmanager-service, then you upload it to "callmanager".
But before you upload the certificate, you need to upload the CA-certificate to the corresponding trust-store.

salvage210 · ‎10-06-2022

Thanks. I'm mostly tracking with what you're saying.

I am attempting to upload a callmanager-service certificate to "callmanager." That's where it only gives me the option of "self-signed." BEFORE I attempted to upload this certificate, I uploaded a CA certificate to Callmanager-trust as directed by the CMS deployement guide in section 2.1.2 section g. That part worked just fine.

g. Once a certificate is returned from the CA, go to the Upload Certificate/Certificate
chain window. From the Certificate Purpose drop-down list select CallManager-trust.
Browse and upload first the root certificate, followed by the intermediate certificates From the Certificate Purpose drop-down list select CallManager. Browse and upload the certificate for the CallManager Service.

b.winter · ‎10-06-2022

I don't know where you see "self-signed". Maybe you can make a screenshot of the window.

If I click the button "Upload Certificate / Certficate chain", I get the following window:

And the I can click the button to upload the certificate. In this case for the tomcat-service.

salvage210 · ‎10-06-2022

Hi B,

My system is in a classified environment so I cannot share screenshots. I can tell you that my screen looks exactly like yours, except that if you click the dropdown and change "tomcat" to "callmanager" the "Description(friendly name) changes to a grayed out "self-signed" field. I cannot change it. Try it and see what happens for you.

b.winter · ‎10-06-2022

I doesn't change anything on my end. But we probably have different versions.
But I doubt, that this is a "real" problem anyway. It probably is just cosmetic. I mean, as you said you get an error when uploading the certificate, you confirmed with that, that you are able to press the upload button and upload the cert. So, I don't see a problem with that.

salvage210 · ‎10-06-2022

Hopefully you're correct. As soon as my CA unfraculates the certificates he's sending me, I'll let you know what happens.

salvage210 · ‎10-06-2022

Ok, good news. You were correct. My CA got his end sorted out and the Call Manager certificate uploaded successfully!

Thanks for all your help.

b.winter · ‎10-06-2022

Great to hear that.
No problem.

salvage210 · ‎10-06-2022

Crud, one quick final question: I need to do this on each node in the cluster, not just the Publisher, correct?

b.winter · ‎10-06-2022

Yes and no.
If it is a "single-server" certificate, you have to generate one CSR and upload the cert per Node.

If you use multi-server san certificate, then you only need one certificate for the whole cluster.
E.g one tomcat-cert for all CUCM and IM&P nodes or one callmanager-cert for all CUCM nodes

TechLvr · ‎10-06-2022

When you upload a SAN certificate on the Pub, it automatically pushes it to all the Subs as well. Just verify that the root CA and the certificate were pushed correctly, then restart the relevant services on each node.