Guest

Cisco Unified Communications Manager (CallManager)

Unified Communications Manager: Install a Trusted (SSL) Certificate

Cisco - Unified Communications Manager: Install a Trusted (SSL) Certificate

Introduction

This document describes how to create and install a trusted SSL certificate so that users who access https://<node>/ccmuser do not receive a certificate error.

Prerequisites

Requirements

Cisco recommends that you have knowledge of Cisco Unified Communications Manager 7.x.

Components Used

The information in this document is based on Cisco Unified Communications Manager 7.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

HTTPS (tomcat_cert) Certificate

Cisco uses self-signed certificates in Cisco Unified Communications Manager servers by default. Unless this self-signed certificate is loaded into the browser used to view the Cisco Unified Communications Manager web page, a certificate security message appears in the browser. In order to prevent the error caused by this default behavior, you can change from a self-signed certificate to a Certificate Authority signed certificate. As long as the Certificate Authority Root Certificate used to sign the new Cisco Unified Ccommunications Manager tomcat certificate is trusted by the web browser, no security message appears. In addition, users need to ensure they access the server with the same host name that is present in the CA Signed Certificate.

The steps in this document explain how to change from a self-signed certificate to a CA Signed Certificate.

Install Certificate Authority Signed Certificate for Tomcat

Certificates are based on names. You must make sure that the names are correct before you generate a Certificate Signing Request (CSR) . From the SSH CLI, use the admin: show web-security command. This command displays the contents of the current web-security certificate. Verify the hostname and the subject alternate name so that the correct name is given when you generate the CSR.

Refer to CUCM Uploading CCMAdmin Web GUI Certificates for more information.

Now, you must generate a Certificate Signing Request (CSR) from Cisco Unified Communications Manager. Complete these steps:

  1. Log into the Cisco Unified Communications Manager OS Administration page.

  2. Choose Security > Certificate Management.

    The Certificate List window displays.

  3. Click the Generate CSR button.

    The Generate Certificate Signing Request dialog box appears.

  4. Choose the tomcat service from the Certificate Name drop-down list, and click the Generate CSR button.

  5. Once the certificate is generated, the status message shows Success: Certificate Signing Request Generated.

    sslcert-cucm-01.gif

Download Certificate Signing Request (CSR)

Next, from the same browser window that you generated the Certificate Signing Request (CSR), download the certificate. Complete these steps:

  1. Click Download CSR.

    The Download Certificate Signing Request dialog box appears.

  2. Choose tomcat to download, and click Download CSR.

  3. Save this file to your local computer. You must send this file to authorities who can sign your certificate.

If want the certificate to be issued by the Microsoft CA, complete these steps. Otherwise, you can get the CSR signed by your Certificate Authority (CA) who provides you with the certificates.

Get Signed Certificate for CSR from CA

You must take the CSR, load it into the Microsoft CA, and have it signed as an Internet certificate. Once you do this, you get a new *.csr file that shows a path where the Microsoft CA is the trusted root and not the Cisco Unified Communications Manager. Complete these steps in order to submit the CSR to CA if your CA is a Windows 2003 Server.

  1. Open the CSR file you downloaded in the previous step in Notepad and copy the entire contents including the ---BEGIN CERTIFICATE REQUEST--- and ---END CERTIFICATE REQUEST-- lines.

  2. Go to http://<certificate server address>/certsrv in order to open the Certificates Server web page.

  3. Click Request a certificate.

    The Request a Certificate web page appears.

  4. Click the Advanced certificate request link.

    The Advanced Certificate Request web page appears.

  5. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.

    The Submit a Certificate Request or Renewal Request web page appears.

  6. Paste the content you copied in step1 into the Saved Request field, choose Web Server in the Certificate Template drop-down list, and click Submit.

    sslcert-cucm-02.gif

    The Certificate Issued web page appears.

    sslcert-cucm-03.gif

  7. On the Certificate Issued web page, click the DER encoded radio button, and then click Download certificate.

  8. Save the file to your local computer.

    Note: Repeat these steps in order to request and download the other certificates. Once you complete these steps, all certificates are stored on your local computer.

Upload the Certificate to Cisco Unified Communications Manager

In order to establish a certificate chain, obtain and install the root/intermediate certificates for the CA and the SSL certificate for tomcat. Complete these steps in order to upload the certificate to Cisco Unified Communications Manager:

  1. Log into the Cisco Unified Communications Manager OS Administration page.

  2. Choose Security > Certificate Management.

    The Certificate List window displays.

  3. Click the Upload Certificate button.

  4. Make sure the certificate type is tomcat-trust.

  5. Click the Browse button in order to locate the root certificate.

    sslcert-cucm-04.gif

    Note: The name of the uploaded file is UC-DC_PEM.cer. This is a Base64 encoded PEM file. Once it gets uploaded to Cisco Unified Communications Manager, the filename is UC-DC.pem. Cisco Unified Communicatoins Manager changes the name of the file to <SUBJECT CN>.pem.

  6. Click the Upload File button in order to upload the certificate.

  7. On the same upload certificate page, choose tomcat for the Certificate name.

  8. Enter UC-DC.pem in the Root Certificate field.

    Note: This is the identity certificate issued by the CA. Specify .pem root certificate in order to complete the certificate chain. You must enter UC-DC.pem because the root certificate you saved is named UC-DC_PEM.cer

    sslcert-cucm-05.gif

  9. Click the Upload File button.

    Note: If you are unable to update the SSL certificate tomcat-trust, refer to Cisco bug ID CSCsv32209 (registered customers only) .

Restart Tomcat

Restart Tomcat from SSH CLI with this command:

admin: utils service restart Cisco Tomcat

When Tomcat restarts, you can access the CCMAdmin or CCMUser GUI in order to verify your newly added certificate is in use.

Troubleshoot

Problem

This error message is received when uploading the new Tomcat Certificate:

Unable to read CA certificate

Solution

This problem is caused when you upload the certificate after changing the file extension from .crt to .pem. As a result, make sure that the file you are uploading has the .cer extension. For example, the name of the uploaded file is UC-DC_PEM.cer. This is a Base64 encoded PEM file. Once it gets uploaded to Cisco Unified Communications Manager, the filename is UC-DC.pem.

Problem

The new ITL files fail as the regenerated files do not match the file contained on the phones and device authentication of the configuration files.

Solution

In order to delete the ITL files manually, refer to Delete ITL File. Another possible workaround is to enable cluster security using the CTL files and USB eTokens. With cluster security enabled, none of the workarounds below need to be applied as trust is maintained by the eTokens. These are not changed during a hostname change.

If cluster security is not enabled, perform the next steps based on the number of servers in your cluster.

Single Server Cluster Scenario

Enable rollback before you make the IP/Hostname change. Complete these steps:

  1. Set the CM Prepare Cluster for Rollback to pre-8.0 Enterprise Parameter to True.

  2. Restart TVS and TFTP.

  3. Reset all phones.

    The phones download a special ITL file that contains empty TVS/TFTP certificate sections.

  4. The empty ITL file can be verified by checking Settings > Security > True List > ITL on the Phone, TVS and TFTP. The sections should be empty.

  5. Perform the IP/Hostname change and allow the phones configured for rollback register to the cluster.

  6. Once all phones have successfully registered, set Prepare Cluster for Rollback to pre-8.0 to false. Then, restart TVS and TFTP, and reset all phones.

Multi-Server Scenario

Primarily an issue only when all servers are changed at once without phone resets and a successful TFTP transaction. The phones must have primary and secondary TVS servers in a multi-server deployment to validate the newly regenerated certificates / ITL. If a phone cannot contact the primary TVS server (due to a recent configuration change), it falls back to the secondary. The TVS servers are identified by the CM Group assigned to the phone. Make sure the IP/Hostname change is performed on only one server at a time.

Note: If using CTL files/tokens in either of these scenarios, you need to re-run the CTL client after making the change to the IP/Hostname/DNS Domain name.

Refer to Cisco bug ID CSCto59461 (registered customers only) for more information.

Related Information

Updated: Nov 30, 2011
Document ID: 112108