Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Enabling encryption in a CUCM 10.5

Looking for someone that has done already for some guidance.  I know that you have you have to generate CSR for


2)CallManager or call-manager-trust

Am I missing something else?

Submit request to a CA like Verisign and then upload it to the Pub, restart tomcat and CAPF


Its a bit confusing especially sending the request to a CA because if I look at Verisign(Symantec), not sure what platform to select



Cisco Employee

OK, so, do you want to use

OK, so, do you want to use encryption for calls??? If so, yes, you're missing a lot of what you need.

If all you want is to avoid getting an error when logging into CUCM webpages, then yes, you need to change the certs.



if this helps, please rate
New Member

Jaime, Thanks for the reply. 



Thanks for the reply.  No, I need the calls and signalling to be encrypted.


What Im confused to begin with is downloading the CSR and submitting the request.  In the OS admin of my 10.5 CUCM.  I downloaded callmanager and tomcat and submitted it to verisign.  My questions for that are:

1) Is that the correct CSR?

2)What else do I need to download for submission


Then in Verisgn, there is a question there about platform and I am not sure what to choose so I choose Intel.


Now, what I know is whatever file(s), I get back from Verisign, i need to upload it to the CUCM, reboot it and enable mixed mode, correct


then, from that point , configure the phone for LSC?  By the way, after encryption iscompleted.  CUCM will now use TLS for signaling and SRTP for media, correct?


thanks in advance

hi1- why are you going to


1- yes , you are completely true . But why are you going to purchase a certificate from verisign , this is will take aroung from 500 to 1000 $? , the web GUI for CUCM is only open from administrator , or some few people who has control for CUCM. You can go for two ways , self signed , and this can be by download CSR and save to our PC , then upload it to your web browser or 2nd way to use microsoft CA , kindly find the below link:-



please rate all useful information

New Member

Islam, Thanks for the reply. 



Thanks for the reply.  Dont worry about the buying of certs as company is paying for it. :)

Second, is we want calls to be encrypted and not just web GUI

New Member

Thanks for all your replies

Thanks for all your replies Kamal but I am not just trying to get rid of that http error in the web gui.  I am trying to enable full on encryption in the cucm.  meaning, phones will have encryption, signaling is encrypted, media is encrypted as well

New Member

You need two of the security

You need two of the security tokens (KEY-CCM-ADMIN-K9).

Follow this blog




New Member

Tokens?  You dont need them

Tokens?  You dont need them anymore at 10.5

Cisco Employee

When you are encrypting your

When you are encrypting your phones, signalling, etc you need to have CUCM be in a secure or mixed mode state. In 10 version, those USB keys are not required since Cisco allows you to have tokenless CTL.

Once in secure mode, you have to apply a secure phone profile to the phones.

Here's 10.0 doc on phone security:

CreatePlease to create content