Tag Archives: Certificates

Sep 20

Cisco Meeting Server – Part 3: Certificates

Posted on by

Certificates are the next step in the CMS deployment. Now with version 2.7+ certificates are mandatory all to be signed by a CA. I’ve listed the functions below that we will generate CSR’s for. A brief description of how to generate the CSR is included. I find it easier to generate all CSRs from a single host, then have the IT Administrator sign all the certificates.. Then I’ll distribute the keys and signed certificates to the appropriate CMS Hosts.

I like to group certificate to functions. Yes, you can just issue a single certificate.. But again, I like to logically separate certificates to functions..

The general command to run is “pki csr function_name CN:cms-host1.example.com subjectAltName:cms-host2.example.com.au,cms-host3.example.com.au

Reboot each CMS Server after licenses have been applied.

Functions

WebAdmin – Standard certificate. I include ALL CMS Servers, including the EDGE (interface a) servers. Use the subjectAltName: attribute for the additional CMS Servers.
Call Bridge – Standard certificate. I will include only the CMS Servers that will host conferences.
Database Server – Standard certificate. I will only include on the CMS Servers that will share the Database.
Database Client – Specific CN for the certificate: CN:postgres Only enter this CN into the CSR. No subjectAltName attribute.
XMPP Server- This certificate will include all CMS Servers that will be a member of the XMPP Cluster. This certificate will also list domains for the organisation, including all domains in a multi-tenancy deployment.
Trunk – Standard certificate. Will include only the CMS Servers that are a member of the XMPP Cluster.
Load Balancing – Standard certificate. I will include only the EDGE servers.

The Chain or Root Certificate

The Cert Bundle is the Trusted Root Certificate. This is required when attaching signed certificates to the various components such as Web Admin. If there is only a single Root CA, then all you need to do is copy the Root CA cert to the CMS Servers via an SFTP client. Then simple reference the cert when activating a component. If there is also an Intermediate CA.. Then you will need to manually create a certificate bundle. To create a certificate bundle, open both the Root CA and the Intermediate CA certificates into notepad. Copy the text of both certificates into a new text file. Root CA text first, then next line add the intermediate certificate text. (no line break), then add a blank (space) line at the end of the file. Save this as a “.cer”. Copy this Root Chain certificate to the CMS Server. Then simply reference the chain certificate when activation components.

I use Filezilla FTP client to upload certificates, download CSRs and keys etc. All certificates, keys etc are loaded into the root directory on each CMS Server.

Run the command pki list to show a list of CSR’s, keys and certificates.

**NOTE: For certificates to be shared among the CMS Servers, copy the cert.key & the certificate to all required CMS Servers.

May 25

Calabrio QM / AQM Certificates

Posted on by

Certificates are apart of every UC Install these days.. Even more so now with the introduction of Finesse and third-party gadgets. I recently had to install a certificate for the Calibrio AQM Server, rather than you dig through their guides.. I’ve listed the commands you’ll need below. Have fun.

1. Create the certificate signing request.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -certreq -alias jetty -file jetty.csr -ext san=dns:tg2aqm10.topgun2.uplinx

2. Install the CA Root or Chain Certificates.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -trustcacerts -alias TG2PDC -file root-cer.cer

3. Install the signed certificate for the AQM Server.

“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -alias jetty -file jetty.cer

UPDATE: To increase or specify the length of the key, use the attribute -keysize when generating a CSR.

Jun 15

Adding Certificates to your UC Environment

Posted on by

Certificates are essential for a smooth operating UC environment. Most organisations have an Internal Certificate Authority and most of these CA’s are the Microsoft CA Server. So it does come in handy to know a little about the MS Certificate architecture and enrolment processes.

I’ll run through how to apply a certificate to a Cisco UC Application Server.

1. Browse to the Operating Platform administrator webpage. The navigate to Security -> Certificate Management.
2. Select Generate CSR. A signing request window appears, check the information and then select generate. After the CSR has been generated, close the window.
3. Download the CSR and save it to your PC. The certificate purpose will be “tomcat”.

Sometimes I come across CA’s that do not allow URL signing or the URLs do not work properly. So I always try to gain access to the console/RDP of the CA server and sign the CSR via the cmd line.

4. Transfer the CSR file to the CA Server.
5. Log onto the CSR server. Again you may need to request login right from the Network Administrator.
6. Open the CMD Prompt and type the following.
“certreq -submit -attrib “CertificateTemplate: WebServer” cucm01.csr”. We are basically signing the CSR using the Web Server Template.
7. Select the CA Server to use.
8. Save the newly created certificate as a .cer
9. While staying on the CA Server, navigate to the Certificates MMC and download its Certificate. We will need the CA’s certificate as a trust certificate.
10. Save the CA Cert in the same location as the above certificate.
11. Transfer the two certificates to the your PC.
12. We will now upload the two certificates into the CUCM Server. First we need to upload the CA’s certificate. This is the trust cert.
13. Select Upload Certificate. Select “tomcat-trust”, and navigate to the CA’s certificate. Select Upload.
14. Lets go ahead and upload the actual server certificate now. Change the type to “tomcat” and navigate to the server certificate. Select Upload.
15. You should see the two certificates under Certificate Management.
16. You may have to restart the Tomcat Service from the CLI. (utils service restart Cisco Tomcat)