Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

How do I utilize certificates in VCS for restricted https access

Hi All,

One of the security measures that I am thinking of to restrict access to our VCS Starter after assigning it a public ip is to allow https access only if the admin's browser certificate matches that of the VCS. 

I am uncertain if I can use the built in certificate that came with the VCS to do this however and whether it in fact the certificate is unique to that device.

Can you guide me with how this is implemented. 

Thanks!

7 REPLIES
Cisco Employee

How do I utilize certificates in VCS for restricted https access

Hi Ricardo

We have some good documentation on how to deploy this.

Please look in the VCS administration guide (From page 270)

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-0.pdf

And also some useful information about VCS certificates can be found in this document:

http://www.tandberg.com/collateral/documentation/Deployment_Guides/Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide.pdf

Hope this helps!

/Magnus

Community Member

How do I utilize certificates in VCS for restricted https access

Hi Magnus,

Thanks for the links.  Though the documents helped me to understand the process I am unsure about where to get the client certificate for my browser to use.

I realize that the VCS came with a server certificate loaded.  Does the client browser need this certtificate to match that of the VCS?

Gold

How do I utilize certificates in VCS for restricted https access

Ricardo,

in order to use client certificate-based security on the VCS, you will need to have a CA (Certificate authority) which can create certificates for the clients which will be accessing the VCS via HTTPS.

For this CA you have a lot of options, you could for example use a Windows-based CA or use OpenSSL, for which you should be able to find a lot of useful guides and help online.

Once you have created a CA certficate, you can create client certificates which are signed with your CA certificate (and I also recommend you create a server certificate for the VCS). You will then have to upload this CA certificate to the VCS (and the server certificate and key if you chose to create this) and install a client certificate on each computer which you plan on using to connect to the VCS with.

Depending on which web browser you use for accessing the VCS, the web browser might have to be actively configured to enable client-based certificate checking, while other browsers will automatically prompt you to select which certificate to present once the VCS requests this.

Hope this helps,

Andreas

Community Member

How do I utilize certificates in VCS for restricted https access

Andreas/Magnus,

Thanks for the guidance.  I managed to create a private key and a certificate request which I used a Windows CA to generate.  I however stumble on this problem though.

tvcs: Event="

Inbound TLS Negotiation Error " Service="SIP " Src-ip="199.19.190.28 " Src-port="52948 " Dst-ip="x.x.x.x" Dst-port="5061

" Detail="sslv3 alert bad certificate

This was a call from a client registered with cisco jabber.com domain not my own.

I presume that the certificate generated by me is used for TLS encryption as well but I believed that verify certificate checking was done for https and that in a call the VCS would use a combination of client and server keys to encrypt traffic.

I need to move to an online service like cacert.org because the VCS-e is in the public internet now and cannot reach our DC to renew the CRL which expire quickly.  Is it that both inbound client and server must have a root CA containing the same authority?

Community Member

How do I utilize certificates in VCS for restricted https access

Hi,

we are facing the same behavior with calls between Free Jabber servers and our VCS. Running VCS version 7.2.2.

"sslv3 alert bad certificate"

Have you resolved the issue?

Thank you.

Cisco Employee

Hi! Having exactly the same

Hi!

 

Having exactly the same error only with free jabber accounts, everything else works fine, let me know fi you are able to find the solution, I will do teh same on my end

Community Member

Hi,in order to communicate

Hi,

in order to communicate with free jabber cloud you have to upload to your VCSe server ceritficate signed by trusted CA. You can choose one of the following:

https://supportforums.cisco.com/docs/DOC-23938

This will resolve your issues with calls with free jabber video users.

1214
Views
4
Helpful
7
Replies
CreatePlease to create content