An SSL certificate says that the signer has verified that the subject of the certificate is who they claim to be. So when I register a certificate for <a href="http://secure.example.com">secure.example.com</a> through Verisign, anyone with the Verisign root certificate can both verify the validity of the certificate, and can accept that they are connecting to <a href="http://secure.example.com">secure.example.com</a>. If I try to use the same certificate on <a href="http://somewhatsecure.example.com">somewhatsecure.example.com</a>, the certificate validation would fail because the subject of the certificate is not the same as the one I'm connecting to.<br>
<br>A web browser ships with a set of trusted root certificates, so for a presented certificate to be verified, it has to be signed with one of those keys (or an intermediate CA that's bundled with the presented cert, but that's a more complex example).<br>
<br>With that in mind, all certificates are "valid", the only question is "does the browser trust the person that signed the key?". In the case of a self signed certificate, the answer is initially "no".<br>
<br>For UCM to ship with a certificate that doesn't cause warnings:<br><br>1. The certificate on the box would have to come from a trusted CA.<br>2. The certificate would have to have the name or IP of the server in it before being signed.<br>
3. Cisco would have to take responsibility for the issuing and revoking of the certificates.<br><br>#1 isn't insurmountable through the use of Intermediate CAs.<br>#2 is a huge logistical problem. You'd have to have the certificate generated before you installed, or get Cisco to issue a new certificate after you named the server<br>
#3 is a huge liability problem for Cisco.<br><br>
Put your security hat on for a moment and wonder what steps Cisco would
have to go through to prevent someone from ordering a server called
"<a href="http://secure.bankofamerica.com">secure.bankofamerica.com</a>" :)<br>
<br>The Microsoft CA isn't that bad, you can generate your own certificates and push out the internal root CA cert through a GPO. <br><br>Sean<br><br><br><div class="gmail_quote">On Sat, Nov 21, 2009 at 3:52 PM, Carter, Bill <span dir="ltr"><<a href="mailto:bcarter@sentinel.com">bcarter@sentinel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I don't know much about certificates and CA....I understand web sites etc. that use SSL have registered their certificates with a CA. When we install CallManager it uses SSL with self-signed certificates. When web'ng into UCM the browsers display the a certificate error. I believe this is because the certificate is not registered with a recognized CA.<br>
<br>
I understand, if an organization already has a business relationship with a CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to provide certificates on UCM that are registered with a CA so we don't get the browser errors? Or is it a requirement that the end user obtain valid certificates for their own servers? Like I said, I don't know the mechanics of how certificates work.<br>
<br>
Thanks,<br>
Bill<br>
<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com">sean@ertw.com</a>> <a href="http://ertw.com/">http://ertw.com/</a><br>