[cisco-voip] TVS & Signed Certificates

Brian Meade bmeade90 at vt.edu
Mon Aug 11 17:34:46 EDT 2014 

>From the servers on both clusters and the console logs from one of the
phones.


On Mon, Aug 11, 2014 at 4:47 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:

> This is a lab environment, so sharing is not a problem. Are the TVS traces
> you want frm the servers or the phones?
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
>
>
>
>
> *From:* bmeade90 at gmail.com [mailto:bmeade90 at gmail.com] *On Behalf Of *Brian
> Meade
> *Sent:* Monday, August 11, 2014 4:45 PM
>
> *To:* Heim, Dennis
> *Cc:* Ryan Ratliff (rratliff); cisco-voip voyp list
> *Subject:* Re: [cisco-voip] TVS & Signed Certificates
>
>
>
> Did you upload the CA root certificate as a CallManager-trust on all
> nodes?  Do you mind sharing your TVS traces from your testing?
>
>
>
> On Mon, Aug 11, 2014 at 4:34 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:
>
> It looks like from my testing that the only way is to use the bulk
> certificate tool as Ryan mentioned. I installed signed certificates for TVS
> and Callmanager, and was unable to move a phone between both clusters.
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
>
>
>
>
> *From:* bmeade90 at gmail.com [mailto:bmeade90 at gmail.com] *On Behalf Of *Brian
> Meade
> *Sent:* Monday, August 11, 2014 3:15 PM
> *To:* Heim, Dennis
> *Cc:* Ryan Ratliff (rratliff); cisco-voip voyp list
>
>
> *Subject:* Re: [cisco-voip] TVS & Signed Certificates
>
>
>
> The important part is having the root CA uploaded as a CallManager-trust
> on all nodes on both clusters and having the CallManager.pem certificates
> CA-signed.
>
>
>
> On Mon, Aug 11, 2014 at 3:07 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:
>
> Ryan:
>
>
>
> I installed enterprise signed certificates (TVS) on both clusters.
> However, the usual issue between moving phones between clusters is still
> there. Apparently that idea does not work.
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> [image: twitter] <https://twitter.com/CollabSensei>
>
> [image: chat][image: Phone] <+13142121814>[image: video]
>
>
>
>
>
> *From:* Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com]
> *Sent:* Monday, August 11, 2014 9:48 AM
> *To:* Heim, Dennis
> *Cc:* cisco-voip voyp list
> *Subject:* Re: [cisco-voip] TVS & Signed Certificates
>
>
>
> Yes, but not by nature of the TVS cert itself being CA-signed. Since the
> TVS cert will get into the ITL who signs it doesn't matter.
>
> Why it may help is because TVS will authorize any cert in the local
> server's trust store.  If the other certs (the ones the endpoint presents
> to TVS) are CA-signed and TVS has the root cert available then in theory
> any cert signed by that root cert will be authorized, regardless of whether
> the actual cert has been uploaded to UCM.
>
> This of course is an educated guess, and I'd thoroughly test it in the lab
> first.
>
>
>
> -Ryan
>
>
>
> On Aug 8, 2014, at 8:15 PM, Heim, Dennis <Dennis.Heim at wwt.com> wrote:
>
>
>
> If you used signed certificates by your enterprise CA for TVS, would that
> allow TVS to validate across multiple clusters if both clusters TVS
> certificates were signed by the same CA?
>
>
>
> I am trying to determine if there would ever be an advantage to doing a
> non-self signed certificate on the TVS.
>
>
>
> *Dennis Heim | Collaboration Solutions Architect*
>
> World Wide Technology, Inc. | +1 314-212-1814
>
> <image001.png> <https://twitter.com/CollabSensei>
>
> <image002.png><image003.png> <+13142121814><image004.png>
>
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/5cff74a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/5cff74a1/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/5cff74a1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/5cff74a1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140811/5cff74a1/attachment-0003.png>

More information about the cisco-voip mailing list