[cisco-voip] Call Manager, Jabber, and Certificates

[Rob Dawson]

What document are you looking at?
As far as I know the only certificate “push” would be done via GPO or some similar mechanism. During the SSL handshake the server certificate is sent to the client and the client will attempt to validate either the cert itself, or the signing authority, against its trust list. If the certificate is not in the trust list then the client will be offered the opportunity to trust/add it to its store, but this is the server cert, not the root cert. If however the CA root cert (public or private) OR the privately signed cert is already in the trust list then it should work with no further intervention or prompting. Once the client trusts the certificate then the key exchange happens.
I can’t really think of anytime that it would a solid decision, security wise, to allow a piece of software to install a trusted root certificate.
Rob
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Joe Loiacono
Sent: Thursday, March 19, 2015 8:29 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Call Manager, Jabber, and Certificates


Jabber documentation indicates that the Certificate that the client may require and is 'pushed' from  Call Manager is a 'root certificate' that directs the Client to a trusted source that will validate the server's (Call Manager hosts) offered certificate.

If the Call Manager certificate is from a public trusted Certificate Authority(CA), and that CA is in the Windows certificate store, can the Certificate 'push' be avoided altogether?

Thanks,

Joe Loiacono
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150319/2351ae2b/attachment.html>