[cisco-voip] TVS & Signed Certificates

Brian Meade bmeade90 at vt.edu
Mon Aug 11 15:15:21 EDT 2014


The important part is having the root CA uploaded as a CallManager-trust on
all nodes on both clusters and having the CallManager.pem certificates
CA-signed.


On Mon, Aug 11, 2014 at 3:07 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:

> Ryan:
>
>
>
> I installed enterprise signed certificates (TVS) on both clusters.
> However, the usual issue between moving phones between clusters is still
> there. Apparently that idea does not work.
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
>
>
>
>
> *From:* Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com]
> *Sent:* Monday, August 11, 2014 9:48 AM
> *To:* Heim, Dennis
> *Cc:* cisco-voip voyp list
> *Subject:* Re: [cisco-voip] TVS & Signed Certificates
>
>
>
> Yes, but not by nature of the TVS cert itself being CA-signed. Since the
> TVS cert will get into the ITL who signs it doesn't matter.
>
> Why it may help is because TVS will authorize any cert in the local
> server's trust store.  If the other certs (the ones the endpoint presents
> to TVS) are CA-signed and TVS has the root cert available then in theory
> any cert signed by that root cert will be authorized, regardless of whether
> the actual cert has been uploaded to UCM.
>
> This of course is an educated guess, and I'd thoroughly test it in the lab
> first.
>
>
>
> -Ryan
>
>
>
> On Aug 8, 2014, at 8:15 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:
>
>
>
> If you used signed certificates by your enterprise CA for TVS, would that
> allow TVS to validate across multiple clusters if both clusters TVS
> certificates were signed by the same CA?
>
>
>
> I am trying to determine if there would ever be an advantage to doing a
> non-self signed certificate on the TVS.
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> <image001.png> <https://twitter.com/CollabSensei>
>
> <image002.png><image003.png> <+13142121814><image004.png>
>
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/1099fbe2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/1099fbe2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/1099fbe2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/1099fbe2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/1099fbe2/attachment-0003.png>


More information about the cisco-voip mailing list