Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CUCM 10.5 and CSR (security cert)

When I click on Callamanger and select Generate CRS, there is a field in the popup called Domain name which shows the companyname.com.

In 10.5, I was told that this is required.  Anyone cares to explain in more details?

 

Also, I noticed that there is callmanager and there is also tomcat from Certificate Management.  I select callmanager and use that to generate CSR and I submit it to a 3rd party CA. If I repeat the same process but this time selecting tomcat, the 3rd party CA will complain of a duplicate.  Ideas?  or callmanager alone is good?

 

My goal is to encrypt calls

4 ACCEPTED SOLUTIONS

Accepted Solutions

Tomcat is for Webservice

Tomcat is for Webservice communication. That includes AXL calls and admin webpages.

CallManager is for phone registration, however there is a bug in CallManager Multiserver certificate which causes phones to reset randomly. Is there a reason why you need to have the CallManager server signed by a 3rd party CA? You could use an internal CA or USB tokens to sign it.

Please rate useful posts.

Correct, you will have to

Correct, you will have to upload the root and intermediate certificate that you receive from Verisign to callmanager-trust first else it will give you an error.

Also, there is a bug in 10.5 that causes phones to reboot if you sign the Callmanager cert. CSCup28852

Please rate useful posts.

1) The process that I

1) The process that I mentioned above is for extracting the root/intermediate certs that you need.

2) What format is the certificate in? ie. what extension does the file have?

Please rate useful posts.

Can you send me the cert

Can you send me the cert somehow? Fileshare or PM me via the community?

Please rate useful posts.
23 REPLIES

Tomcat is for Webservice

Tomcat is for Webservice communication. That includes AXL calls and admin webpages.

CallManager is for phone registration, however there is a bug in CallManager Multiserver certificate which causes phones to reset randomly. Is there a reason why you need to have the CallManager server signed by a 3rd party CA? You could use an internal CA or USB tokens to sign it.

Please rate useful posts.
New Member

Its a requirement by the

Its a requirement by the company.

So, if I download the CSR for callmanager and submit it to verisign, I will need to upload it and when  i upload it, do I select callmanager again or callmanager-trust.

 

Can I use that same cert to upload it for tomcat-trust or do I use tomcat?

 

Thanks 

 

 

If you select a CSR for

If you select a CSR for tomcat or CallManager, then the signed certificate will be uploaded to the same location. The signed certificate will have a root and potentially intermediate certs. These certs will be uploaded to the appropriate xxx-trust locations. 

Please rate useful posts.
New Member

So, just to confirm, when I

So, just to confirm, when I downloaded the CSR, I choose callmanager, send it to Verisign, then upload the file I received also by selecting callmanager and thats it?  thanks

 

by the way, when I dowloaded the CSR, its a multi-server csr

Correct, you will have to

Correct, you will have to upload the root and intermediate certificate that you receive from Verisign to callmanager-trust first else it will give you an error.

Also, there is a bug in 10.5 that causes phones to reboot if you sign the Callmanager cert. CSCup28852

Please rate useful posts.
New Member

Thanks George. I will take a

Thanks George. I will take a look at this bug.

 

I only received one file from Verisign though, so what do I do with the intermediate file you mentioned?  thanks

New Member

When I uploaded the cert I

When I uploaded the cert I got from verisign, I selected "calmanager" and when I click ok, it gave me an error about something not found in store.  When i change the selection to "callmanager-trust", the cert uploaded ok.

 

Did I do something wrong?

Thats what I mentioned

Thats what I mentioned earlier, you will have to upload the root and intermediate certificate first to callmanager-trust before you upload the signed certificate.

To get root/intermediate cert. open the certificate, navigate to the certification path and you will see a hierarchy similar to the attachment. Click on the top most certificate  and click View certificate. In the new pop-up, navigate to details and click on COpy to file. Click next on the wizard that opens, on the 2nd page select the base-64 encoded option and go through the wizard. In the 3rd window, you will be able to select an option to save the certificate and this will be your root certificate. Repeat this process for the intermediate certificate, ie the 2nd cert in the hierarchy. Once you have both the files, upload the root certificate to the callmanager-trust first and then upload the intermediate certificate. Once thats done, upload the signed certificate to the callmanager location. 

At this point, your phones should start rebooting due to the bug i mentioned above. LOL.

 

Please rate useful posts.
New Member

lol....so this is where my

lol....so this is where my head spin.

1) what exactly do you mean by "upload the root and intermediate cert to call-manager-trust" before I upload my signed cert.  I only have one file that came from verisign.  The only other file I have is the call-manager csr I downloaded

 

2) you said navigate to the certification path..where?  in the PC I am using to browse to the CUCM?

 

I want my phones to start randomly rebooting... so please help me :)

1) The process that I

1) The process that I mentioned above is for extracting the root/intermediate certs that you need.

2) What format is the certificate in? ie. what extension does the file have?

Please rate useful posts.
New Member

The signed cert from verisign

The signed cert from verisign is .CER

The callmanager file I downloaded that I sent to Verisign is CSR

New Member

This is what I got...how do I

This is what I got...how do I fix this?

This is callmanager self

This is callmanager self signed certificate, I was referring to the cert that Verisign sent you.

Please rate useful posts.
New Member

The file Verisgn sent me is a

The file Verisgn sent me is a .CER file

I uploaded it earlier to the CUCM and selected callmanager-trust then rebooted the server then enabled mixed mode

 

What am I missing?  tnx

DId you follow the guide

DId you follow the guide below?

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html

 

Please rate useful posts.
New Member

George, Which parts as I am

George,

 

Which parts as I am not using client token as this is 10.5?

In your case, the CLI part.

In your case, the CLI part. However i would read this guide fully to understand mixed mode cluster security.

Please rate useful posts.
New Member

Here's the highlevel overview

Here's the highlevel overview of what I did

1) CUCM is in non-scure mode

2) Download callmanager CSR and sent to Verisign

3)Received callmanager.CER from verisign

4)Uploaded it by selecting callmanager-trust.   If I select callmanager, I get an error about store

5)rebooted the server

6)enabled mixed mode via CLI

7)Rebooted the server

 

This is the time I tried to go to the IE certifcation path and didnt get that same tree you have

New Member
New Member

Do I need to download this

Do I need to download this root and intermediate cert from the OS admin of CUCM or that is from the pic you sent wherein I do it in the IE browser connected to my CUCM?

Can you send me the cert

Can you send me the cert somehow? Fileshare or PM me via the community?

Please rate useful posts.
New Member

How do I PM you?  Been trying

How do I PM you?  Been trying to do that

Helloyou have to generate

Hello

you have to generate intermediate certificate from Root certificate. After this you have to upload  CA to tomcat-trust , the upload the certificate .cer to trust tomcat after you uploaded it CUCM changes the name of the file to <SUBJECT CN>.pem. . Kindly check the below links:-

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-60/112108-sslcert-cucm-00.html

https://supportforums.cisco.com/document/30501/cucm-uploading-ccmadmin-web-gui-certificates

https://supportforums.cisco.com/document/91906/high-level-view-certificates-cucm

 

Thanks

please rate all useful information

507
Views
0
Helpful
23
Replies