[cisco-voip] Self-Signed Certificates on CallManager

Carter, Bill bcarter at sentinel.com
Sat Nov 21 17:22:42 EST 2009 

Great explanation. thanks!



-----Original Message-----
From: Sean Walberg
Sent: Sat 11/21/2009 4:13 PM
To: Carter, Bill
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Self-Signed Certificates on CallManager

An SSL certificate says that the signer has verified that the subject of the
certificate is who they claim to be. So when I register a certificate for
secure.example.com through Verisign, anyone with the Verisign root
certificate can both verify the validity of the certificate, and can accept
that they are connecting to secure.example.com. If I try to use the same
certificate on somewhatsecure.example.com, the certificate validation would
fail because the subject of the certificate is not the same as the one I'm
connecting to.

A web browser ships with a set of trusted root certificates, so for a
presented certificate to be verified, it has to be signed with one of those
keys (or an intermediate CA that's bundled with the presented cert, but
that's a more complex example).

With that in mind, all certificates are "valid", the only question is "does
the browser trust the person that signed the key?". In the case of a self
signed certificate, the answer is initially "no".

For UCM to ship with a certificate that doesn't cause warnings:

1. The certificate on the box would have to come from a trusted CA.
2. The certificate would have to have the name or IP of the server in it
before being signed.
3. Cisco would have to take responsibility for the issuing and revoking of
the certificates.

#1 isn't insurmountable through the use of Intermediate CAs.
#2 is a huge logistical problem. You'd have to have the certificate
generated before you installed, or get Cisco to issue a new certificate
after you named the server
#3 is a huge liability problem for Cisco.

Put your security hat on for a moment and wonder what steps Cisco would have
to go through to prevent someone from ordering a server called "
secure.bankofamerica.com" :)

The Microsoft CA isn't that bad, you can generate your own certificates and
push out the internal root CA cert through a GPO.

Sean


On Sat, Nov 21, 2009 at 3:52 PM, Carter, Bill <bcarter at sentinel.com> wrote:

> I don't know much about certificates and CA....I understand web sites etc.
> that use SSL have registered their certificates with a CA. When we install
> CallManager it uses SSL with self-signed certificates. When web'ng into UCM
> the browsers display the a certificate error. I believe this is because the
> certificate is not registered with a recognized CA.
>
> I understand, if an organization already has a business relationship with a
> CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to
> provide certificates on UCM that are registered with a CA so we don't get
> the browser errors? Or is it a requirement that the end user obtain valid
> certificates for their own servers? Like I said, I don't know the mechanics
> of how certificates work.
>
> Thanks,
> Bill
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>



-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/

More information about the cisco-voip mailing list