[cisco-voip] Call Manager, Jabber, and Certificates

Rob Dawson rdawson at force3.com
Fri Mar 20 09:45:48 EDT 2015


That section pretty much sums it up . . . if you a have self-signed certs, a private CA, or certs signed by an untrusted CA, then you have to add either the server certs themselves, or the root cert/chain for the issuing CA, to the _client_ computers/devices. This is not done via CUCM/Jabber though, it would be via whatever mechanism is provided by your OS/device manufacturer i.e. group policy for Microsoft, mobile device management, etc.

If the certs are untrusted the clients should be getting prompted for them and may have the ability to add them themselves based on security policies.

Rob


From: Joe Loiacono [mailto:jloiacon at csc.com]
Sent: Friday, March 20, 2015 8:40 AM
To: Rob Dawson; cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Call Manager, Jabber, and Certificates

Rob Dawson <rdawson at force3.com<mailto:rdawson at force3.com>> wrote on 03/19/2015 10:50:55 AM:

> What document are you looking at?

Cisco Jabber for Windows 9.7 Installation and Configuration Guide

> As far as I know the only certificate “push” would be done via GPO
> or some similar mechanism. During the SSL handshake the server
> certificate is sent to the client and the client will attempt to
> validate either the cert itself, or the signing authority, against
> its trust list. If the certificate is not in the trust list then the
> client will be offered the opportunity to trust/add it to its store,
> but this is the server cert, not the root cert. If however the CA
> root cert (public or private) OR the privately signed cert is
> already in the trust list then it should work with no further
> intervention or prompting. Once the client trusts the certificate
> then the key exchange happens.
> I can’t really think of anytime that it would a solid decision,
> security wise, to allow a piece of software to install a trusted
> root certificate.


I'm thinking the action that we take on CUCM, which we refer to as 'pushing a cert to the Jabber client' is the following:

--------

Import Root Certificates on Client Computers

Every server certificate should have an associated root certificate present in the trust store on client computers. Cisco Jabber validates the certificates that servers present against the root certificates in the trust store. If you get server certificates signed by a public CA, the public CA should already have a root certificate present in the trust store on the client computer. In this case, you do not need to import root certificates on the client computers.

You should import root certificates into the Microsoft Windows certificate store if:

• The certificates are signed by a CA that does not already exist in the trust store, such as a private CA.

Import the private CA certificate to the Trusted Root Certification Authorities store.

• The certificates are self-signed.

Import self-signed certificates to the Enterprise Trust store.

--------


This is driving us nuts, so I'm wondering if we have self-signed server certs or we're using our own private CA, etc. I'm inquiring within, of course, just was curious what others had done here.

Many thanks,

Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/97fbbc3c/attachment.html>


More information about the cisco-voip mailing list