<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16915" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
color=#0000ff size=2>I've been working on just generating CSRs to use with my
own Microsoft CA server.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
color=#0000ff size=2>No need IMO for a pubic CA issuer, since nothing on your
UCM is going to be viewed by the general public anyway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
color=#0000ff size=2>From the UCM Security Guide for version
6.11:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=362235420-24112009><FONT face=Arial
size=2><FONT color=#0000ff></FONT>
<P align=left><B><FONT color=#0000ff><FONT size=5><SPAN
class=362235420-24112009>"</SPAN>Support for Certificates from External
CAs</FONT></FONT></P></B><FONT face="MNNKF M+ Times,Times" size=2><FONT
face="MNNKF M+ Times,Times" size=2>
<P align=left><FONT color=#0000ff>Cisco Unified Communications Manager supports
integration with third-party certificate authorities (CAs) by using a PKCS#10
certificate signing request (CSR) mechanism, which is accessible at the Cisco
Unified Communications Operating System Certificate Manager GUI. Customers who
currently use third-party CAs should use the CSR mechanism to issue certificates
for Cisco Unified Communications Manager, CAPF, IPSec, and Tomcat.</FONT></P>
<DIR>
<DIR>
<DIR>
<DIR>
<DIR></FONT></FONT><B><FONT size=1>
<P align=left><FONT color=#0000ff>Note</FONT></B></FONT><FONT face=Times
color=#0000ff>This release of Cisco Unified Communications Manager does not
provide SCEP interface support.</FONT></P></DIR></DIR></DIR></DIR></DIR>
<P align=left><FONT face=Times color=#0000ff>Cisco has verified the PKCS#10 CSR
support mechanism with these CAs: Keon and Microsoft. Cisco has not verified
certificate issuance with other external CAs that support PKCS#10
CSRs.</FONT></P>
<P align=left><FONT face=Times color=#0000ff>Be sure to run the CTL client after
you upload a third-party, CA-signed certificate to the platform to update the
CTL file. After running the CTL client, restart the appropriate service(s) for
the update; for example, restart Cisco CallManager and Cisco Tftp services when
you update the Cisco Unified Communications Manager certificate, restart CAPF
when you update the CAPF certificate, and so on. See "Configuring the Cisco CTL
Client" section on page 3-1 for the update procedure.</FONT></P>
<P><FONT face=Times color=#0000ff>For information on generating Certificate
Signing Requests (CSRs) at the platform, refer to the </FONT><I><FONT face=Times
color=#0000ff>Cisco Unified Communications Operating System Administration Guide
</FONT></I><FONT face=Times><FONT color=#0000ff>that supports this Cisco Unified
Communications Manager release.<SPAN
class=362235420-24112009>"</SPAN></FONT></FONT></P></FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>It looks
to me like I'll have to run the CTL Client after I install my CA
certificate.</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>One
problem I'm having is that my CA is not showing the Web Server template at the
http://mycaserver/cert.svc" URL</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>It's only
showing Basic EFS, IPSec, and User</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>I don't
know if I could use the User one.</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>The Web
Server template appears in the .msc applet, but when I submit my CSR from within
the .msc, an error tells me that my CSR from UCM/tomcat
doesn't contain info about which template to use</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>(as I
could have selected from the web interface, if Web Server template was
available)</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>So I'm a
little stumped as to how to submit the CSR without an embedded
template.</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>Some
people have said "Just upgrade to Server 2003 Enterprise" --- that's not an
option really -- costwise, I'm being told it's not that big a problem, and being
asked why Microsoft won't allow Standard to do this. Or I'm being told that
since you can get a CSR from IIS and do this with Standard 2003,
then Apache/tomcat on UCM should as well.</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><SPAN class=362235420-24112009>And TAC
is no help -- they rarely understand Microsoft stuff -- and their test CAs are
all Enterprise.</SPAN></FONT></DIV>
<DIV align=left><FONT face=Arial size=2><SPAN
class=362235420-24112009></SPAN></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Tim Reimers</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>Systems Analyst II</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>Information Technology
Services</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>City of Asheville</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>70 Court Plaza</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>Asheville, NC 28801</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>phone - 828-259-5512</FONT></DIV>
<DIV align=left><FONT face=Arial size=2><A
href="mailto:timreimers@ashevillenc.gov">treimers@ashevillenc.gov</A></FONT></DIV>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <B>On Behalf Of </B>ROZA,
Ariel<BR><B>Sent:</B> Tuesday, November 24, 2009 3:23 PM<BR><B>To:</B> Carter,
Bill; cisco-voip@puck.nether.net<BR><B>Subject:</B> Re: [cisco-voip] Self-Signed
Certificates on CallManager<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV id=idOWAReplyText8821 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Bill,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2> Although not issued by a Public CA;
you can make your browser accept the certificates of you CCM as valid, and not
display a warning.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2> Most modern browser have an option
to manually import the certificate in your computer´s local certificate store.
You usually see this option when handling an invalid certificate.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2> For example, in Internet Explorer 8,
you can see the button "Certificate invalid" besides the address bar after you
click in the option ¨Continue to this website". If you click this button, you
will se a dialog that shows you the certificate in question and allows you to
import it.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Keep in mind that for the certificate to be
recognized as valid, you would have to access the CCM server via its hostname
and not it´s IP Adress.</FONT></DIV></DIV>
<DIV id=idSignature77901>
<DIV><FONT face=Arial color=#000000 size=2>
<TABLE cellSpacing=0 cellPadding=0 width=899 border=0>
<TBODY>
<TR>
<TD vAlign=top align=left height=46></TD>
<TD vAlign=top align=left height=46></TD></TR>
<TR>
<TD vAlign=top align=left width=17 height=24> </TD>
<TD vAlign=top align=left width=882 height=24>
<DIV><FONT face="Verdana, Arial, Helvetica, sans-serif"
size=2><STRONG><FONT color=#666666><FONT color=#ff3300 size=1>ARIEL
ROZA</FONT></FONT></STRONG><FONT color=#666666 size=1><BR><FONT
color=#333333><STRONG>Service Delivery
Engineer</STRONG></FONT></FONT></FONT></DIV></TD></TR>
<TR>
<TD width=17 height=95> </TD>
<TD vAlign=center width=882 height=95>
<DIV><FONT face="Verdana, Arial, Helvetica, sans-serif" color=#666666
size=1><FONT color=#ff3300 size=2><STRONG><FONT
size=1>LOGICALIS</FONT></STRONG></FONT><FONT size=1><BR><FONT
color=#000000><SPAN
style="FONT-SIZE: 7.5pt; COLOR: black; FONT-FAMILY: Verdana">Peru 327 1°
Piso - C.A.B.A. - Argentina -
C1063ACH<BR></SPAN></FONT></FONT></FONT><FONT
face="Verdana, Arial, Helvetica, sans-serif" color=#666666 size=1><FONT
size=1><FONT color=#000000>Tel/Fax: +54 (11)
4344-0300<BR><U>ariel.roza@la.logicalis.com</U></FONT></FONT></FONT><FONT
face="Verdana, Arial, Helvetica, sans-serif" size=1><BR><FONT
color=#ff3300><FONT
color=#800080><U>www.la.logicalis.com</U></FONT><U><BR><FONT
color=#800080>www.logicalisnow.com</FONT></U></FONT></FONT></DIV></TD></TR>
<TR>
<TD height=62> </TD>
<TD vAlign=top height=62><FONT
face="Verdana, Arial, Helvetica, sans-serif" color=#666666 size=1><FONT
color=#008000>Por favor, piense en el medioambiente antes de imprimir este
email.</FONT> <BR><FONT color=#333333>La presente información se envía
únicamente para el destinatario, y contiene información de carácter
CONFIDENCIAL o PRIVLEGIADA.<BR>La modificación, retransmisión, difusón,
copia u otro uso de esta información por cualquier medio, por personas
distintas al destinatario, están estrictamente
prohibidas.<BR></FONT></FONT></TD></TR></TBODY></TABLE></FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Carter, Bill<BR><B>Sent:</B> Sat
21/11/2009 19:52<BR><B>To:</B> cisco-voip@puck.nether.net<BR><B>Subject:</B>
[cisco-voip] Self-Signed Certificates on CallManager<BR></FONT><BR></DIV>
<DIV><PRE style="WORD-WRAP: break-word">I don't know much about certificates and CA....I understand web sites etc. that use SSL have registered their certificates with a CA. When we install CallManager it uses SSL with self-signed certificates. When web'ng into UCM the browsers display the a certificate error. I believe this is because the certificate is not registered with a recognized CA.
I understand, if an organization already has a business relationship with a CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to provide certificates on UCM that are registered with a CA so we don't get the browser errors? Or is it a requirement that the end user obtain valid certificates for their own servers? Like I said, I don't know the mechanics of how certificates work.
Thanks,
Bill
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
</PRE></DIV></BODY></HTML>