Cisco TelePresence Video Communication Server (VCS)

Secure SIP Trunk between CUCM and VCS Configuration Example

Document ID: 116730

Updated: Nov 12, 2013

Contributed by Kristof Van Coillie, Cisco TAC Engineer.



This document describes how to set up a secure Session Initiation Protocol (SIP) connection between the Cisco Unified Communications Manager (CUCM) and the Cisco TelePresence Video Communication Server (VCS).

The CUCM and VCS are closely integrated. Because video endpoints can be registered either on the CUCM or the VCS, SIP trunks must exist between the devices.



Cisco recommends that you have knowledge of these topics:

  • Cisco Unified Communications Manager
  • Cisco TelePresence Video Communication Server
  • Certificates

Components Used

This document is not restricted to specific software and hardware versions. This example uses Cisco VCS software version X7.2.2 and CUCM version 9.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Ensure that the certificates are valid, add the certificates to the CUCM and VCS servers so that they trust each other's certificates, then establish the SIP trunk.

Network Diagram


Obtain VCS Certificate

By default, all VCS systems come with temporary certificate. On the admin page, navigate to Maintenance > Certificate management > Server certificate. Click Show server certificate, and a new window opens with the raw data of the certificate:


This is an example of the raw certificate data:


You can decode the certificate and see the certificate data through the use of OpenSSL on your local PC or the use of an online certificate decoder such as SSL Shopper :


Generate and Upload VCS Self-Signed Certificate

Because every VCS server has a certificate with the same Common Name, you need to put new certificates on the server. You can choose to use self-signed certificates or certificates signed by the Certificate Authority (CA). See the Cisco TelePresence Certificate Creation and Use With Cisco VCS Deployment Guide for details of this procedure.

This procedure describes how to use the VCS itself to generate a self-signed certificate, then upload that certificate:

  1. Log in as root to the VCS, start OpenSSL, and generate a private key:

    ~ # openssl
    OpenSSL> genrsa -out privatekey.pem 1024
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
  2. Use this private key in order to generate a certificate signing request (CSR):

    OpenSSL> req -new -key privatekey.pem -out certcsr.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:BE
    State or Province Name (full name) [Some-State]:Vlaams-Brabant
    Locality Name (eg, city) []:Diegem
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
    Organizational Unit Name (eg, section) []:TAC
    Common Name (e.g. server FQDN or YOUR name) []
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    OpenSSL> exit
  3. Generate the self-signed certificate:

    ~ # openssl x509 -req -days 360 -in certcsr.pem -signkey privatekey.pem -out vcscert.pem
    Signature ok
    Getting Private key
    ~ #
  4. Confirm that the certificates are now available:

    ~ # ls -ltr *.pem
    -rw-r--r-- 1 root root 891 Nov 1 09:23 privatekey.pem
    -rw-r--r-- 1 root root 664 Nov 1 09:26 certcsr.pem
    -rw-r--r-- 1 root root 879 Nov 1 09:40 vcscert.pem
  5. Download the certificates with WinSCP , and upload them on the webpage so the VCS can use the certificates; you need the both private key and the generated certificate:


  6. Repeat this procedure for all VCS servers.

Add Self-Signed Certificate from CUCM Server to VCS Server

Add the certificates from the CUCM servers so that the VCS will trust them. In this example, you are using the standard self-signed certificates from CUCM; CUCM generates self-signed certificates during installation so you do not need to create those as you did on the VCS.

This procedure describes how to add a self-signed certificate from the CUCM server to the VCS server:

  1. Download the CallManager.pem certificate from the CUCM. Log into the OS Administration page, navigate to Security > Certificate Management, then select and download the self-signed CallManager.pem certificate:


  2. Add this certificate as a trusted CA certificate on the VCS.On the VCS, navigate to Maintenance > Certificate management > Trusted CA certificate, and select Show CA certificate:


    A new window opens with all certificates that are currently trusted.

  3. Copy all of the currently trusted certificates to a text file. Open the CallManager.pem file in a text editor, copy its content, and add that content to the bottom of the same text file after the currently trusted certificates:

    -----END CERTIFICATE-----
    If you have multiple servers in the CUCM cluster, add all of them here.

  4. Save the file as CATrust.pem, and click Upload CA certificate in order to upload the file back to the VCS:


    The VCS will now trust the certificates offered by CUCM.

  5. Repeat this procedure for all VCS servers.

Upload Certificate from VCS Server to CUCM Server

The CUCM needs to trust the certificates offered by the VCS.

This procedure describes how to upload the VCS certificate you generated on the CUCM as a CallManager-Trust certificate:

  1. On the OS Administration page, navigate to Security > Certificate Management, enter the certificate name, browse to its location, and click Upload File:


  2. Upload the certificate from all VCS servers. Do this on every CUCM server that will communicate with the VCS; this is typically all nodes that are running the CallManager Service.

SIP Connection

Once certificates are validated and both systems trust each other, configure the Neighbor Zone on VCS and the SIP Trunk on CUCM. See the Cisco TelePresence Cisco Unified Communications Manager with Cisco VCS (SIP Trunk) Deployment Guide for details of this procedure.


Confirm that the SIP connection is active in the Neighbor Zone on VCS:



There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Nov 12, 2013
Document ID: 116730