CUP Cisco Certificate Authority Proxy Function

Unanswered Question
May 25th, 2010
User Badges:

I am having trouble getting the certificates to work in CUPS with exchange. I just tried to collect some logs and found on the trace configuration that


Cisco Certificate Authority Proxy Function shows as inactive and shows and n/a on the troubleshooting trace settings. How do I start this?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jonathan Schulenberg Tue, 05/25/2010 - 03:23
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

CAPF is a UCM service and is unrelated to what you are attempting to do. Do not blindly start services without understanding what they do.


The most common fault with Exchange calendar integration is that you have not imported EVERY CA in the certificate chain of your Exchange OWA server. For example, the SSL certificate for the Cisco Support Community has two CAs in the chain: VeriSign Class 3 Public Primary Certificate Authority G2 and VeriSign Class 3 Secure Server CA G2. Both of these must be in the presence-trust store of the CUPS server. Your server certificate itself, should NOT be in the presence-trust store, only the issuing CAs in the chain.


If you have that correct, check that:

  • The certificate DN equals what you have configured in CUPS
  • That the CA bit is set on all of your issuing CAs in the chain. This shows up as "Is a certificate authority" under the Basic Certificate Constraints when viewed in Firefox.
  • That you do not have an Exhcnage 2003/2007 mixed environment (and thus have OWA redirection in use). A 4xx timout error in the CUPS log would suggest this is happening. You may need to do HTTP auth instead of forms-based auth.
mymite060708 Tue, 05/25/2010 - 10:06
User Badges:

ok this is what I have done so far


1) on my exchange server, clicked on Default web site , created a new certificate with a CN=labexchange.

2) sent this certificate to my CA (AD server) labad

3) open a web browser to owa and view the certificate, view the details for the certificate from labad and exported this certificate to a file

4) uploaded this certificate to the Presence trust site in CUPs

5) set the exchange gateway to the same name as the common name (labexchange)

6) set the login account for the gateway

7) restarted presence engine


I always get this error.



Verify that a Microsoft Exchange  Trusted Certificate is loaded
The Microsoft Exchange  Certificate file is either not currently loaded or there is a subject CN (Common  Name) mismatch. This Certificate is required so that CUP and Exchange can  communicate in a secure mannerPlease load a valid Certificate  for Microsoft Exchange and verify that the Trust Certificate Subject CN  (configured on the Presence Gateway page) matches the Trust Certificate Subject  CN of the loaded Certificate file. Certificates can be loaded on the Cisco  Unified OS Platform Application Security->Certificate Management page





so what silly mistake have I made


can't seem to find where I get the certmgr logs

Thanks

Jonathan Schulenberg Tue, 05/25/2010 - 10:19
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

3) open a web browser to owa and view the certificate, view the details for the certificate from labad and exported this certificate to a file

4) uploaded this certificate to the Presence trust site in CUPs

Which certificate did you view and upload: the labexchange certificate installed on your OWA server; or, the CA root certificate of your AD server? If you uploaded the former insted of the later, please re-read my previous answer.. you uploaded the wrong cert!

mymite060708 Tue, 05/25/2010 - 10:34
User Badges:

I uploaded the CA root certificate of the AD server ( so when I click on certification path it shows labad---labexchange


I click on labad (so top certificate) view and export

Actions

This Discussion