treimers at ashevillenc
Nov 24, 2009, 1:18 PM
Post #7 of 7
(1722 views)
Permalink
|
|
Re: Self-Signed Certificates on CallManager
[In reply to]
|
|
Given that they're all domain-joined machines, and the CA server is a DC, then yes, all domain workstations should trust a certificate offered by the tomcat server and signed by their own DC.
Same as with using Outlook Web Access on IIS.
I'm just having trouble getting the CSR to be enrolled to get a certificate back to import into the tomcat server on UCM
Tim Reimers
Systems Analyst II
Information Technology Services
City of Asheville
70 Court Plaza
Asheville, NC 28801
phone - 828-259-5512
treimers [at] ashevillenc <mailto:timreimers [at] ashevillenc>
________________________________
From: Jason Aarons (US) [mailto:jason.aarons [at] us]
Sent: Tuesday, November 24, 2009 4:16 PM
To: Tim Reimers; ROZA, Ariel; Carter, Bill; cisco-voip [at] puck
Subject: RE: [cisco-voip] Self-Signed Certificates on CallManager
The question is does your browser trust whatever certificate you put in your CallManager. If you don't use something trusted by your browser (doesn't have to be public) then you'll need to look at your Trusted Root and/or push out trust info, or have end users manually accept the certificate (which in a large network would be realistic).
From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of Tim Reimers
Sent: Tuesday, November 24, 2009 4:03 PM
To: ROZA, Ariel; Carter, Bill; cisco-voip [at] puck
Subject: Re: [cisco-voip] Self-Signed Certificates on CallManager
I've been working on just generating CSRs to use with my own Microsoft CA server.
No need IMO for a pubic CA issuer, since nothing on your UCM is going to be viewed by the general public anyway.
>From the UCM Security Guide for version 6.11:
"Support for Certificates from External CAs
Cisco Unified Communications Manager supports integration with third-party certificate authorities (CAs) by using a PKCS#10 certificate signing request (CSR) mechanism, which is accessible at the Cisco Unified Communications Operating System Certificate Manager GUI. Customers who currently use third-party CAs should use the CSR mechanism to issue certificates for Cisco Unified Communications Manager, CAPF, IPSec, and Tomcat.
NoteThis release of Cisco Unified Communications Manager does not provide SCEP interface support.
Cisco has verified the PKCS#10 CSR support mechanism with these CAs: Keon and Microsoft. Cisco has not verified certificate issuance with other external CAs that support PKCS#10 CSRs.
Be sure to run the CTL client after you upload a third-party, CA-signed certificate to the platform to update the CTL file. After running the CTL client, restart the appropriate service(s) for the update; for example, restart Cisco CallManager and Cisco Tftp services when you update the Cisco Unified Communications Manager certificate, restart CAPF when you update the CAPF certificate, and so on. See "Configuring the Cisco CTL Client" section on page 3-1 for the update procedure.
For information on generating Certificate Signing Requests (CSRs) at the platform, refer to the Cisco Unified Communications Operating System Administration Guide that supports this Cisco Unified Communications Manager release."
It looks to me like I'll have to run the CTL Client after I install my CA certificate.
One problem I'm having is that my CA is not showing the Web Server template at the http://mycaserver/cert.svc" URL
It's only showing Basic EFS, IPSec, and User
I don't know if I could use the User one.
The Web Server template appears in the .msc applet, but when I submit my CSR from within the .msc, an error tells me that my CSR from UCM/tomcat doesn't contain info about which template to use
(as I could have selected from the web interface, if Web Server template was available)
So I'm a little stumped as to how to submit the CSR without an embedded template.
Some people have said "Just upgrade to Server 2003 Enterprise" --- that's not an option really -- costwise, I'm being told it's not that big a problem, and being asked why Microsoft won't allow Standard to do this. Or I'm being told that since you can get a CSR from IIS and do this with Standard 2003, then Apache/tomcat on UCM should as well.
And TAC is no help -- they rarely understand Microsoft stuff -- and their test CAs are all Enterprise.
Tim Reimers
Systems Analyst II
Information Technology Services
City of Asheville
70 Court Plaza
Asheville, NC 28801
phone - 828-259-5512
treimers [at] ashevillenc <mailto:timreimers [at] ashevillenc>
________________________________
From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of ROZA, Ariel
Sent: Tuesday, November 24, 2009 3:23 PM
To: Carter, Bill; cisco-voip [at] puck
Subject: Re: [cisco-voip] Self-Signed Certificates on CallManager
Bill,
Although not issued by a Public CA; you can make your browser accept the certificates of you CCM as valid, and not display a warning.
Most modern browser have an option to manually import the certificate in your computer´s local certificate store. You usually see this option when handling an invalid certificate.
For example, in Internet Explorer 8, you can see the button "Certificate invalid" besides the address bar after you click in the option ¨Continue to this website". If you click this button, you will se a dialog that shows you the certificate in question and allows you to import it.
Keep in mind that for the certificate to be recognized as valid, you would have to access the CCM server via its hostname and not it´s IP Adress.
ARIEL ROZA
Service Delivery Engineer
LOGICALIS
Peru 327 1° Piso - C.A.B.A. - Argentina - C1063ACH
Tel/Fax: +54 (11) 4344-0300
ariel.roza [at] la
www.la.logicalis.com
www.logicalisnow.com
Por favor, piense en el medioambiente antes de imprimir este email.
La presente información se envía únicamente para el destinatario, y contiene información de carácter CONFIDENCIAL o PRIVLEGIADA.
La modificación, retransmisión, difusón, copia u otro uso de esta información por cualquier medio, por personas distintas al destinatario, están estrictamente prohibidas.
________________________________
From: Carter, Bill
Sent: Sat 21/11/2009 19:52
To: cisco-voip [at] puck
Subject: [cisco-voip] Self-Signed Certificates on CallManager
I don't know much about certificates and CA....I understand web sites etc. that use SSL have registered their certificates with a CA. When we install CallManager it uses SSL with self-signed certificates. When web'ng into UCM the browsers display the a certificate error. I believe this is because the certificate is not registered with a recognized CA.
I understand, if an organization already has a business relationship with a CA, a "valid" certificate can be loaded on UCM. Is it possible for Cisco to provide certificates on UCM that are registered with a CA so we don't get the browser errors? Or is it a requirement that the end user obtain valid certificates for their own servers? Like I said, I don't know the mechanics of how certificates work.
Thanks,
Bill
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip
________________________________
Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
|
