[cisco-voip] Self-Signed Certificates on CallManager

Jason Aarons (US) jason.aarons at us.didata.com
Tue Nov 24 16:16:12 EST 2009


The question is does your browser trust whatever certificate you put in your CallManager.  If you don't use something trusted by your browser (doesn't have to be public)  then you'll need to look at your Trusted Root and/or push out trust info, or have end users manually accept the certificate (which in a large network would be realistic).

 

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Tim Reimers
Sent: Tuesday, November 24, 2009 4:03 PM
To: ROZA, Ariel; Carter, Bill; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Self-Signed Certificates on CallManager

 

I've been working on just generating CSRs to use with my own Microsoft CA server.

 

No need IMO for a pubic CA issuer, since nothing on your UCM is going to be viewed by the general public anyway.

 

From the UCM Security Guide for version 6.11:

"Support for Certificates from External CAs

Cisco Unified Communications Manager supports integration with third-party certificate authorities (CAs) by using a PKCS#10 certificate signing request (CSR) mechanism, which is accessible at the Cisco Unified Communications Operating System Certificate Manager GUI. Customers who currently use third-party CAs should use the CSR mechanism to issue certificates for Cisco Unified Communications Manager, CAPF, IPSec, and Tomcat.

NoteThis release of Cisco Unified Communications Manager does not provide SCEP interface support.

Cisco has verified the PKCS#10 CSR support mechanism with these CAs: Keon and Microsoft. Cisco has not verified certificate issuance with other external CAs that support PKCS#10 CSRs.

Be sure to run the CTL client after you upload a third-party, CA-signed certificate to the platform to update the CTL file. After running the CTL client, restart the appropriate service(s) for the update; for example, restart Cisco CallManager and Cisco Tftp services when you update the Cisco Unified Communications Manager certificate, restart CAPF when you update the CAPF certificate, and so on. See "Configuring the Cisco CTL Client" section on page 3-1 for the update procedure.

For information on generating Certificate Signing Requests (CSRs) at the platform, refer to the Cisco Unified Communications Operating System Administration Guide that supports this Cisco Unified Communications Manager release."

 

It looks to me like I'll have to run the CTL Client after I install my CA certificate.

 

One problem I'm having is that my CA is not showing the Web Server template at the http://mycaserver/cert.svc" URL

It's only showing Basic EFS, IPSec, and User

I don't know if I could use the User one.

 

The Web Server template appears in the .msc applet, but when I submit my CSR from within the .msc, an error tells me that my CSR from UCM/tomcat doesn't contain info about which template to use

(as I could have selected from the web interface, if Web Server template was available)

 

So I'm a little stumped as to how to submit the CSR without an embedded template.

 

Some people have said "Just upgrade to Server 2003 Enterprise" --- that's not an option really -- costwise, I'm being told it's not that big a problem, and being asked why Microsoft won't allow Standard to do this. Or I'm being told that since you can get a CSR from IIS and do this with Standard 2003, then Apache/tomcat on UCM should as well.

 

And TAC is no help -- they rarely understand Microsoft stuff -- and their test CAs are all Enterprise.

 

 

 

Tim Reimers

Systems Analyst II

Information Technology Services

City of Asheville

70 Court Plaza

Asheville, NC 28801

phone - 828-259-5512

treimers at ashevillenc.gov <mailto:timreimers at ashevillenc.gov> 

 

 

________________________________

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of ROZA, Ariel
Sent: Tuesday, November 24, 2009 3:23 PM
To: Carter, Bill; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Self-Signed Certificates on CallManager

Bill,

 

  Although not issued by a Public CA; you can make your browser accept the certificates of you CCM as valid, and not display a warning.

  Most modern browser have an option to manually import the certificate in your computer´s local certificate store. You usually see this option when handling an invalid certificate.

 

  For example, in Internet Explorer 8, you can see the button "Certificate invalid" besides the address bar after you click in the option ¨Continue to this website". If you click this button, you will se a dialog that shows you the certificate in question and allows you to import it.

 

Keep in mind that for the certificate to be recognized as valid, you would have to access the CCM server via its hostname and not it´s IP Adress.

		
 

ARIEL ROZA
Service Delivery Engineer

 

LOGICALIS
Peru 327 1° Piso - C.A.B.A. - Argentina - C1063ACH
Tel/Fax: +54 (11) 4344-0300
ariel.roza at la.logicalis.com
www.la.logicalis.com
www.logicalisnow.com

 

Por favor, piense en el medioambiente antes de imprimir este email. 
La presente información se envía únicamente para el destinatario, y contiene información de carácter CONFIDENCIAL o PRIVLEGIADA.
La modificación, retransmisión, difusón, copia u otro uso de esta información por cualquier medio, por personas distintas al destinatario, están estrictamente prohibidas.

 

________________________________

From: Carter, Bill
Sent: Sat 21/11/2009 19:52
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Self-Signed Certificates on CallManager

I don't know much about certificates and CA....I understand web sites etc. that use SSL have registered their certificates with a CA. When we install CallManager it uses SSL with self-signed certificates. When web'ng into UCM the browsers display the a certificate error. I believe this is because the certificate is not registered with a recognized CA.
 
I understand, if an organization already has a business relationship with a CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to provide certificates on UCM that are registered with a CA so we don't get the browser errors? Or is it a requirement that the end user obtain valid certificates for their own servers? Like I said, I don't know the mechanics of how certificates work.
 
Thanks,
Bill
 
 
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



-----------------------------------------
Disclaimer:

This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only.  If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful.  If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091124/1877033e/attachment.html>


More information about the cisco-voip mailing list