[cisco-voip] TVS & Signed Certificates

Heim, Dennis Dennis.Heim at wwt.com
Mon Aug 11 16:34:57 EDT 2014


It looks like from my testing that the only way is to use the bulk certificate tool as Ryan mentioned. I installed signed certificates for TVS and Callmanager, and was unable to move a phone between both clusters.

Dennis Heim | Collaboration Solutions Architect
World Wide Technology, Inc. | +1 314-212-1814
[cid:image001.png at 01CFB582.2FCE2A10]<https://twitter.com/CollabSensei>
[cid:image002.png at 01CFB582.2FCE2A10]<xmpp:dennis.heim at wwt.com>[cid:image003.png at 01CFB582.2FCE2A10]<tel:+13142121814>[cid:image004.png at 01CFB582.2FCE2A10]<sip:dennis.heim at wwt.com>


From: bmeade90 at gmail.com [mailto:bmeade90 at gmail.com] On Behalf Of Brian Meade
Sent: Monday, August 11, 2014 3:15 PM
To: Heim, Dennis
Cc: Ryan Ratliff (rratliff); cisco-voip voyp list
Subject: Re: [cisco-voip] TVS & Signed Certificates

The important part is having the root CA uploaded as a CallManager-trust on all nodes on both clusters and having the CallManager.pem certificates CA-signed.

On Mon, Aug 11, 2014 at 3:07 PM, Heim, Dennis <Dennis.Heim at wwt.com<mailto:Dennis.Heim at wwt.com>> wrote:
Ryan:

I installed enterprise signed certificates (TVS) on both clusters. However, the usual issue between moving phones between clusters is still there. Apparently that idea does not work.

Dennis Heim | Collaboration Solutions Architect
World Wide Technology, Inc. | +1 314-212-1814<tel:%2B1%20314-212-1814>
[cid:image001.png at 01CFB582.2FCE2A10]<https://twitter.com/CollabSensei>
[cid:image002.png at 01CFB582.2FCE2A10][cid:image003.png at 01CFB582.2FCE2A10]<tel:+13142121814>[cid:image004.png at 01CFB582.2FCE2A10]


From: Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com<mailto:rratliff at cisco.com>]
Sent: Monday, August 11, 2014 9:48 AM
To: Heim, Dennis
Cc: cisco-voip voyp list
Subject: Re: [cisco-voip] TVS & Signed Certificates

Yes, but not by nature of the TVS cert itself being CA-signed. Since the TVS cert will get into the ITL who signs it doesn't matter.
Why it may help is because TVS will authorize any cert in the local server's trust store.  If the other certs (the ones the endpoint presents to TVS) are CA-signed and TVS has the root cert available then in theory any cert signed by that root cert will be authorized, regardless of whether the actual cert has been uploaded to UCM.
This of course is an educated guess, and I'd thoroughly test it in the lab first.

-Ryan

On Aug 8, 2014, at 8:15 PM, Heim, Dennis <Dennis.Heim at wwt.com<mailto:Dennis.Heim at wwt.com>> wrote:

If you used signed certificates by your enterprise CA for TVS, would that allow TVS to validate across multiple clusters if both clusters TVS certificates were signed by the same CA?

I am trying to determine if there would ever be an advantage to doing a non-self signed certificate on the TVS.

Dennis Heim | Collaboration Solutions Architect
World Wide Technology, Inc. | +1 314-212-1814<tel:%2B1%20314-212-1814>
<image001.png><https://twitter.com/CollabSensei>
<image002.png><image003.png><tel:+13142121814><image004.png>


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/cd5f1a8b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/cd5f1a8b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/cd5f1a8b/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/cd5f1a8b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/cd5f1a8b/attachment-0003.png>


More information about the cisco-voip mailing list