CUP Cisco Certificate Authority Proxy Function

mymite060708 · ‎05-25-2010

I am having trouble getting the certificates to work in CUPS with exchange. I just tried to collect some logs and found on the trace configuration that

Cisco Certificate Authority Proxy Function shows as inactive and shows and n/a on the troubleshooting trace settings. How do I start this?

Thanks

Jonathan Schulenberg · ‎05-25-2010

CAPF is a UCM service and is unrelated to what you are attempting to do. Do not blindly start services without understanding what they do.

The most common fault with Exchange calendar integration is that you have not imported EVERY CA in the certificate chain of your Exchange OWA server. For example, the SSL certificate for the Cisco Support Community has two CAs in the chain: VeriSign Class 3 Public Primary Certificate Authority G2 and VeriSign Class 3 Secure Server CA G2. Both of these must be in the presence-trust store of the CUPS server. Your server certificate itself, should NOT be in the presence-trust store, only the issuing CAs in the chain.

If you have that correct, check that:

The certificate DN equals what you have configured in CUPS
That the CA bit is set on all of your issuing CAs in the chain. This shows up as "Is a certificate authority" under the Basic Certificate Constraints when viewed in Firefox.
That you do not have an Exhcnage 2003/2007 mixed environment (and thus have OWA redirection in use). A 4xx timout error in the CUPS log would suggest this is happening. You may need to do HTTP auth instead of forms-based auth.

mymite060708 · ‎05-25-2010

ok this is what I have done so far

1) on my exchange server, clicked on Default web site , created a new certificate with a CN=labexchange.

2) sent this certificate to my CA (AD server) labad

3) open a web browser to owa and view the certificate, view the details for the certificate from labad and exported this certificate to a file

4) uploaded this certificate to the Presence trust site in CUPs

5) set the exchange gateway to the same name as the common name (labexchange)

6) set the login account for the gateway

7) restarted presence engine

I always get this error.

Verify that a Microsoft Exchange Trusted Certificate is loaded
The Microsoft Exchange Certificate file is either not currently loaded or there is a subject CN (Common Name) mismatch. This Certificate is required so that CUP and Exchange can communicate in a secure mannerPlease load a valid Certificate for Microsoft Exchange and verify that the Trust Certificate Subject CN (configured on the Presence Gateway page) matches the Trust Certificate Subject CN of the loaded Certificate file. Certificates can be loaded on the Cisco Unified OS Platform Application Security->Certificate Management page

so what silly mistake have I made

can't seem to find where I get the certmgr logs

Thanks

Jonathan Schulenberg · ‎05-25-2010

3) open a web browser to owa and view the certificate, view the details for the certificate from labad and exported this certificate to a file

4) uploaded this certificate to the Presence trust site in CUPs

Which certificate did you view and upload: the labexchange certificate installed on your OWA server; or, the CA root certificate of your AD server? If you uploaded the former insted of the later, please re-read my previous answer.. you uploaded the wrong cert!

mymite060708 · ‎05-25-2010

I uploaded the CA root certificate of the AD server ( so when I click on certification path it shows labad---labexchange

I click on labad (so top certificate) view and export