<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It looks like from my testing that the only way is to use the bulk certificate tool as Ryan mentioned. I installed signed certificates for TVS and Callmanager, and was unable to move a phone between both clusters.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:black'>Dennis Heim | Collaboration Solutions Architect</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:black'>World Wide Technology, Inc. | +1 314-212-1814<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><a href="https://twitter.com/CollabSensei"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";text-decoration:none'><img border=0 width=124 height=25 id="Picture_x0020_1" src="cid:image001.png@01CFB582.2FCE2A10" alt=twitter></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><a href="xmpp:dennis.heim@wwt.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=95 height=28 id="Picture_x0020_2" src="cid:image002.png@01CFB582.2FCE2A10" alt=chat></span></a><a href="tel:+13142121814"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=95 height=28 id="Picture_x0020_3" src="cid:image003.png@01CFB582.2FCE2A10" alt=Phone></span></a><a href="sip:dennis.heim@wwt.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=95 height=28 id="Picture_x0020_4" src="cid:image004.png@01CFB582.2FCE2A10" alt=video></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> bmeade90@gmail.com [mailto:bmeade90@gmail.com] <b>On Behalf Of </b>Brian Meade<br><b>Sent:</b> Monday, August 11, 2014 3:15 PM<br><b>To:</b> Heim, Dennis<br><b>Cc:</b> Ryan Ratliff (rratliff); cisco-voip voyp list<br><b>Subject:</b> Re: [cisco-voip] TVS & Signed Certificates<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>The important part is having the root CA uploaded as a CallManager-trust on all nodes on both clusters and having the CallManager.pem certificates CA-signed.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Aug 11, 2014 at 3:07 PM, Heim, Dennis <<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'>Ryan:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'>I installed enterprise signed certificates (TVS) on both clusters. However, the usual issue between moving phones between clusters is still there. Apparently that idea does not work.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><b><span style='font-size:10.0pt;color:black'>Dennis Heim | Collaboration Solutions Architect</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;color:black'>World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><a href="https://twitter.com/CollabSensei" target="_blank"><span style='text-decoration:none'><img border=0 width=124 height=25 id="_x0000_i1025" src="cid:image001.png@01CFB582.2FCE2A10" alt=twitter></span></a><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='color:#1F497D'><img border=0 width=95 height=28 id="_x0000_i1026" src="cid:image002.png@01CFB582.2FCE2A10" alt=chat></span><a href="tel:+13142121814" target="_blank"><span style='color:#1F497D;text-decoration:none'><img border=0 width=95 height=28 id="_x0000_i1027" src="cid:image003.png@01CFB582.2FCE2A10" alt=Phone></span></a><span style='color:#1F497D'><img border=0 width=95 height=28 id="_x0000_i1028" src="cid:image004.png@01CFB582.2FCE2A10" alt=video></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='color:black'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Ryan Ratliff (rratliff) [mailto:<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>] <br><b>Sent:</b> Monday, August 11, 2014 9:48 AM<br><b>To:</b> Heim, Dennis<br><b>Cc:</b> cisco-voip voyp list<br><b>Subject:</b> Re: [cisco-voip] TVS & Signed Certificates<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Yes, but not by nature of the TVS cert itself being CA-signed. Since the TVS cert will get into the ITL who signs it doesn't matter. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Why it may help is because TVS will authorize any cert in the local server's trust store. If the other certs (the ones the endpoint presents to TVS) are CA-signed and TVS has the root cert available then in theory any cert signed by that root cert will be authorized, regardless of whether the actual cert has been uploaded to UCM. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This of course is an educated guess, and I'd thoroughly test it in the lab first.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Ryan <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Aug 8, 2014, at 8:15 PM, Heim, Dennis <<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If you used signed certificates by your enterprise CA for TVS, would that allow TVS to validate across multiple clusters if both clusters TVS certificates were signed by the same CA?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am trying to determine if there would ever be an advantage to doing a non-self signed certificate on the TVS.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><b><span style='font-size:10.0pt'>Dennis Heim | Collaboration Solutions Architect</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt'>World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><a href="https://twitter.com/CollabSensei" target="_blank"><span style='text-decoration:none'><image001.png></span></a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><image002.png><a href="tel:+13142121814" target="_blank"><span style='color:windowtext;text-decoration:none'><image003.png></span></a><image004.png><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>