<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Times;
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The question is does your browser trust whatever certificate you
put in your CallManager. If you don’t use something trusted by your
browser (doesn’t have to be public) then you’ll need to look at
your Trusted Root and/or push out trust info, or have end users manually accept
the certificate (which in a large network would be realistic).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On
Behalf Of </b>Tim Reimers<br>
<b>Sent:</b> Tuesday, November 24, 2009 4:03 PM<br>
<b>To:</b> ROZA, Ariel; Carter, Bill; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] Self-Signed Certificates on CallManager<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>I've been working on just generating CSRs to use with my own
Microsoft CA server.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>No need IMO for a pubic CA issuer, since nothing on your UCM is
going to be viewed by the general public anyway.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>From the UCM Security Guide for version 6.11:</span><o:p></o:p></p>
<p><b><span style='font-size:18.0pt;font-family:"Arial","sans-serif";
color:blue'>"Support for Certificates from External CAs</span></b><b><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></b></p>
<p><span style='font-size:10.0pt;font-family:"Times","serif";color:blue'>Cisco
Unified Communications Manager supports integration with third-party
certificate authorities (CAs) by using a PKCS#10 certificate signing request
(CSR) mechanism, which is accessible at the Cisco Unified Communications
Operating System Certificate Manager GUI. Customers who currently use
third-party CAs should use the CSR mechanism to issue certificates for Cisco
Unified Communications Manager, CAPF, IPSec, and Tomcat.</span><span
style='font-size:10.0pt;font-family:"Times","serif"'><o:p></o:p></span></p>
<p style='margin-left:2.5in'><b><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:blue'>Note</span></b><span style='font-size:10.0pt;font-family:"Times","serif";
color:blue'>This release of Cisco Unified Communications Manager does not
provide SCEP interface support.</span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-size:10.0pt;font-family:"Times","serif";color:blue'>Cisco
has verified the PKCS#10 CSR support mechanism with these CAs: Keon and
Microsoft. Cisco has not verified certificate issuance with other external CAs
that support PKCS#10 CSRs.</span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-size:10.0pt;font-family:"Times","serif";color:blue'>Be
sure to run the CTL client after you upload a third-party, CA-signed
certificate to the platform to update the CTL file. After running the CTL
client, restart the appropriate service(s) for the update; for example, restart
Cisco CallManager and Cisco Tftp services when you update the Cisco Unified
Communications Manager certificate, restart CAPF when you update the CAPF
certificate, and so on. See "Configuring the Cisco CTL Client"
section on page 3-1 for the update procedure.</span><span style='font-size:
10.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-size:10.0pt;font-family:"Times","serif";color:blue'>For
information on generating Certificate Signing Requests (CSRs) at the platform,
refer to the <i>Cisco Unified Communications Operating System Administration
Guide </i>that supports this Cisco Unified Communications Manager
release."</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>It
looks to me like I'll have to run the CTL Client after I install my CA
certificate.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>One
problem I'm having is that my CA is not showing the Web Server template at the
http://mycaserver/cert.svc" URL</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>It's
only showing Basic EFS, IPSec, and User</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I
don't know if I could use the User one.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
Web Server template appears in the .msc applet, but when I submit my CSR from
within the .msc, an error tells me that my CSR from
UCM/tomcat doesn't contain info about which template to use</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>(as
I could have selected from the web interface, if Web Server template was
available)</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>So
I'm a little stumped as to how to submit the CSR without an embedded template.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Some
people have said "Just upgrade to Server 2003 Enterprise" --- that's
not an option really -- costwise, I'm being told it's not that big a problem,
and being asked why Microsoft won't allow Standard to do this. Or I'm being
told that since you can get a CSR from IIS and do this with Standard
2003, then Apache/tomcat on UCM should as well.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>And
TAC is no help -- they rarely understand Microsoft stuff -- and their test CAs
are all Enterprise.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Tim
Reimers</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Systems
Analyst II</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Information
Technology Services</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>City
of Asheville</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>70
Court Plaza</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Asheville,
NC 28801</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>phone
- 828-259-5512</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href="mailto:timreimers@ashevillenc.gov">treimers@ashevillenc.gov</a></span><o:p></o:p></p>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>ROZA, Ariel<br>
<b>Sent:</b> Tuesday, November 24, 2009 3:23 PM<br>
<b>To:</b> Carter, Bill; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] Self-Signed Certificates on CallManager</span><o:p></o:p></p>
<div id=idOWAReplyText8821>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Bill,</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>
Although not issued by a Public CA; you can make your browser accept the
certificates of you CCM as valid, and not display a warning.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>
Most modern browser have an option to manually import the certificate in your
computer´s local certificate store. You usually see this option when handling
an invalid certificate.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>
For example, in Internet Explorer 8, you can see the button "Certificate
invalid" besides the address bar after you click in the option ¨Continue
to this website". If you click this button, you will se a dialog that
shows you the certificate in question and allows you to import it.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Keep
in mind that for the certificate to be recognized as valid, you would have to
access the CCM server via its hostname and not it´s IP Adress.</span><o:p></o:p></p>
</div>
</div>
<div id=idSignature77901>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=899
style='width:674.25pt'>
<tr style='height:34.5pt'>
<td valign=top style='padding:0in 0in 0in 0in;height:34.5pt'></td>
<td valign=top style='padding:0in 0in 0in 0in;height:34.5pt'></td>
</tr>
<tr style='height:.25in'>
<td width=17 valign=top style='width:12.75pt;padding:0in 0in 0in 0in;
height:.25in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
<td width=882 valign=top style='width:661.5pt;padding:0in 0in 0in 0in;
height:.25in'>
<div>
<p class=MsoNormal><strong><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#FF3300'>ARIEL ROZA</span></strong><span style='font-size:7.5pt;
font-family:"Verdana","sans-serif";color:#666666'><br>
</span><strong><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#333333'>Service Delivery Engineer</span></strong><o:p></o:p></p>
</div>
</td>
</tr>
<tr style='height:71.25pt'>
<td width=17 style='width:12.75pt;padding:0in 0in 0in 0in;height:71.25pt'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
<td width=882 style='width:661.5pt;padding:0in 0in 0in 0in;height:71.25pt'>
<div>
<p class=MsoNormal><strong><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#FF3300'>LOGICALIS</span></strong><span style='font-size:7.5pt;
font-family:"Verdana","sans-serif";color:#666666'><br>
</span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:black'>Peru 327 1° Piso - C.A.B.A. - Argentina - C1063ACH<br>
Tel/Fax: +54 (11) 4344-0300<br>
<u>ariel.roza@la.logicalis.com</u></span><span style='font-size:7.5pt;
font-family:"Verdana","sans-serif"'><br>
<u><span style='color:purple'>www.la.logicalis.com</span><span
style='color:#FF3300'><br>
</span><span style='color:purple'>www.logicalisnow.com</span></u></span><o:p></o:p></p>
</div>
</td>
</tr>
<tr style='height:46.5pt'>
<td style='padding:0in 0in 0in 0in;height:46.5pt'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
<td valign=top style='padding:0in 0in 0in 0in;height:46.5pt'>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:green'>Por favor, piense en el medioambiente antes de imprimir este
email.</span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#666666'> <br>
</span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#333333'>La presente información se envía únicamente para el
destinatario, y contiene información de carácter CONFIDENCIAL o PRIVLEGIADA.<br>
La modificación, retransmisión, difusón, copia u otro uso de esta información
por cualquier medio, por personas distintas al destinatario, están
estrictamente prohibidas.</span><o:p></o:p></p>
</td>
</tr>
</table>
</div>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> Carter, Bill<br>
<b>Sent:</b> Sat 21/11/2009 19:52<br>
<b>To:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> [cisco-voip] Self-Signed Certificates on CallManager</span><o:p></o:p></p>
</div>
<div><pre style='WORD-WRAP: break-word'>I don't know much about certificates and CA....I understand web sites etc. that use SSL have registered their certificates with a CA. When we install CallManager it uses SSL with self-signed certificates. When web'ng into UCM the browsers display the a certificate error. I believe this is because the certificate is not registered with a recognized CA.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>I understand, if an organization already has a business relationship with a CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to provide certificates on UCM that are registered with a CA so we don't get the browser errors? Or is it a requirement that the end user obtain valid certificates for their own servers? Like I said, I don't know the mechanics of how certificates work.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>Thanks,<o:p></o:p></pre><pre>Bill<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>cisco-voip mailing list<o:p></o:p></pre><pre>cisco-voip@puck.nether.net<o:p></o:p></pre><pre>https://puck.nether.net/mailman/listinfo/cisco-voip<o:p></o:p></pre></div>
</div>
</body>
</html>
<HTML><BODY><P><hr size=1></P>
<P><STRONG>
Disclaimer:
This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
</STRONG></P></BODY></HTML>