Solved: Presence Server - Requesting and Installing FQDN Certificate

muranskycotech · ‎11-03-2010

I've been reading through a lot of documentation on Presence 7 and 8's ability to use third-party certificates to secure communications, but I'm a little unclear on the process to take. Essentially I have presence.domain.com as my FQDN and want to use it as my official destination for all activity pertaining to Presence (my Exchange server is exchange.domain.com, and UCM is callmanager.domain.com, etc).

Since I'm incredibly new to Unified Communications in the Cisco world, I'm not sure what the steps are to perform these steps. Processing the certificate through my SSL provider is easy enough, but generating the proper request and installing it in CUPS and CUCM are unfamiliar.

Can someone provide a link or instructions that are more step-by-step rather than conceptual?

Thanks in advance!

--Aaron

htluo · ‎11-08-2010

Certificate/SSL can be used for different purposes. Depending on the role of the server (trusting or trusted), steps would be different.

If you tried to install a certificate for the web server on Cisco unified communication appliances (such as CUCM and CUPS), you may follow instructions on http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402

Michael

http://htluo.blogspot.com

View solution in original post

htluo · ‎11-08-2010

Certificate/SSL can be used for different purposes. Depending on the role of the server (trusting or trusted), steps would be different.

If you tried to install a certificate for the web server on Cisco unified communication appliances (such as CUCM and CUPS), you may follow instructions on http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_2/cucos/iptpch6.html#wp1053402

Michael

http://htluo.blogspot.com

muranskycotech · ‎11-08-2010

Awesome, thank you!

muranskycotech · ‎11-08-2010

Well, correction... I followed the process but GoDaddy is insisting that it doesn't meet the minimum complexity of 2048-bit length. Is there a way to resolve this?

htluo · ‎11-08-2010

I think this is a known limitation. The CSR generated by VOS (Cisco voice appliance OS) was default to 1024 bit.

Basically, the CSR file is a plain text file encoded in Base-64. The workaround would be like this:

1) Generate the CSR from VOS.

2) Decode the CSR with any freely available tools (such as http://www.sslshopper.com/csr-decoder.html)

3) Use 3rd-party tools (like Open SSL) to generate another CSR with the same information except changing the key length to 2048.

If you're not familiar with this, you may open a TAC case to seek assistance. Or choose another CA that accepts 1024 bit key.

Michael

http://htluo.blogspot.com

muranskycotech · ‎11-08-2010

Well unfortunately, I see no way to accomplish this. 2048-bit is a requirement for me, and while it's all well and good to decode the existing request with that site, I see no option of "converting" the existing CSR to 2048-bit from the reading I've done today (that site or otherwise). The attempt I made was rejected as "private key doesn't match the CSR".

Any other thoughts, or am I SOL on this?

Dennis Mink · ‎06-16-2013

You cannot have the CSR converted from one machine to the other, as the private key that was initially used to create the CSR, will therefore also change. and the private key is ofcourse unique for a certain server only.

(i know this is an old post, but for reference purposes i think it is worth adding)

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.