[cisco-voip] Call Manager, Jabber, and Certificates

Joe Loiacono jloiacon at csc.com
Fri Mar 20 08:39:56 EDT 2015 

Rob Dawson <rdawson at force3.com> wrote on 03/19/2015 10:50:55 AM:
 
> What document are you looking at?

Cisco Jabber for Windows 9.7 Installation and Configuration Guide

> As far as I know the only certificate “push” would be done via GPO 
> or some similar mechanism. During the SSL handshake the server 
> certificate is sent to the client and the client will attempt to 
> validate either the cert itself, or the signing authority, against 
> its trust list. If the certificate is not in the trust list then the
> client will be offered the opportunity to trust/add it to its store,
> but this is the server cert, not the root cert. If however the CA 
> root cert (public or private) OR the privately signed cert is 
> already in the trust list then it should work with no further 
> intervention or prompting. Once the client trusts the certificate 
> then the key exchange happens.
> I can’t really think of anytime that it would a solid decision, 
> security wise, to allow a piece of software to install a trusted 
> root certificate.


I'm thinking the action that we take on CUCM, which we refer to as 
'pushing a cert to the Jabber client' is the following:

--------

Import Root Certificates on Client Computers

Every server certificate should have an associated root certificate 
present in the trust store on client computers. Cisco Jabber validates the 
certificates that servers present against the root certificates in the 
trust store. If you get server certificates signed by a public CA, the 
public CA should already have a root certificate present in the trust 
store on the client computer. In this case, you do not need to import root 
certificates on the client computers.

You should import root certificates into the Microsoft Windows certificate 
store if:

• The certificates are signed by a CA that does not already exist in the 
trust store, such as a private CA.

Import the private CA certificate to the Trusted Root Certification 
Authorities store.

• The certificates are self-signed.

Import self-signed certificates to the Enterprise Trust store.

--------


This is driving us nuts, so I'm wondering if we have self-signed server 
certs or we're using our own private CA, etc. I'm inquiring within, of 
course, just was curious what others had done here.

Many thanks,

Joe 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/5d93edda/attachment.html>

More information about the cisco-voip mailing list