11-03-2010 06:50 AM - edited 03-19-2019 01:51 AM
I've been reading through a lot of documentation on Presence 7 and 8's ability to use third-party certificates to secure communications, but I'm a little unclear on the process to take. Essentially I have presence.domain.com as my FQDN and want to use it as my official destination for all activity pertaining to Presence (my Exchange server is exchange.domain.com, and UCM is callmanager.domain.com, etc).
Since I'm incredibly new to Unified Communications in the Cisco world, I'm not sure what the steps are to perform these steps. Processing the certificate through my SSL provider is easy enough, but generating the proper request and installing it in CUPS and CUCM are unfamiliar.
Can someone provide a link or instructions that are more step-by-step rather than conceptual?
Thanks in advance!
--Aaron
Solved! Go to Solution.
11-08-2010 05:46 AM
Certificate/SSL can be used for different purposes. Depending on the role of the server (trusting or trusted), steps would be different.
If you tried to install a certificate for the web server on Cisco unified communication appliances (such as CUCM and CUPS), you may follow instructions on http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402
Michael
11-08-2010 05:46 AM
Certificate/SSL can be used for different purposes. Depending on the role of the server (trusting or trusted), steps would be different.
If you tried to install a certificate for the web server on Cisco unified communication appliances (such as CUCM and CUPS), you may follow instructions on http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402
Michael
11-08-2010 06:30 AM
Awesome, thank you!
11-08-2010 06:41 AM
Well, correction... I followed the process but GoDaddy is insisting that it doesn't meet the minimum complexity of 2048-bit length. Is there a way to resolve this?
11-08-2010 09:08 AM
I think this is a known limitation. The CSR generated by VOS (Cisco voice appliance OS) was default to 1024 bit.
Basically, the CSR file is a plain text file encoded in Base-64. The workaround would be like this:
1) Generate the CSR from VOS.
2) Decode the CSR with any freely available tools (such as http://www.sslshopper.com/csr-decoder.html)
3) Use 3rd-party tools (like Open SSL) to generate another CSR with the same information except changing the key length to 2048.
If you're not familiar with this, you may open a TAC case to seek assistance. Or choose another CA that accepts 1024 bit key.
Michael
11-08-2010 11:45 AM
Well unfortunately, I see no way to accomplish this. 2048-bit is a requirement for me, and while it's all well and good to decode the existing request with that site, I see no option of "converting" the existing CSR to 2048-bit from the reading I've done today (that site or otherwise). The attempt I made was rejected as "private key doesn't match the CSR".
Any other thoughts, or am I SOL on this?
06-16-2013 06:53 PM
You cannot have the CSR converted from one machine to the other, as the private key that was initially used to create the CSR, will therefore also change. and the private key is ofcourse unique for a certain server only.
(i know this is an old post, but for reference purposes i think it is worth adding)
=============================
Please remember to rate useful posts, by clicking on the stars below.
=============================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide