This document describes how to set up a domain certificate for Cisco
Unified Communications Manager.
There are no specific requirements for this document.
The information in this document is based on Cisco Unified
Communications Manager version 7.x.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
This example uses the Microsoft certificate authority (CA) for Unified
Communication Manager certificates.
On a Windows domain controller, install the certificate services as an
enterprise root CA. In addition, make sure you install the web enrollment as
you will need it to generate the certificates.
Download the root certificate from the CA.
Note: The certificate must be Active Directory (AD) integrated to
generate proper certificates.
Complete these steps in order to download the root certificate from
In a web browser, go to http://<certificate server
address>/certsrv, and click the Download a CA
certificate, certificate chain, or CRL
Click the Base 64 radio button, and then click the Download
CA Certificate link.
Save the root certificate to your local
Upload the certificate.
Complete these steps in order to upload the certificate:
On the Unified Operating System Administration page, choose
Security > Certificate Management, and click Upload
The Upload Certificate dialog box
Choose the type of certificate to upload. (The root CA certificate
will be uploaded as a Trust certificate).
Note: You must add the root certificate as a trust certificate to each
service for which you want to use a CA certificate. This examples uses Tomcat
Add an appropriate description, choose the root certificate to
download from the CA, and click Upload
The CallManager-trust and tomcat-trust certificates are added to
the Certificate List.
Repeat these steps as needed for IPSec and
Generate a certificate signing request.
Note: This example uses Tomcat and CallManager.
Complete these steps in order to generate certificate signing
requests for the types of certificates you want:
Click the Generate CSR button.
The Generate Certificate Signing Request dialog box
Choose the service from the Certificate Name drop-down list, and
click the Generate CSR button.
Once the certificate is generated, the Status message shows
"Success: Certificate Signing Request Generated."
Repeat these step for the CallManager CSR.
Download the CSR.
Once you generate the CSRs, the Download CSR button appears on the
Complete these steps in order to download the CSR:
Click Download CSR.
The Download Certificate Signing Request dialog box
Choose the CSR you want to download, and click Download
Save this file to your local computer.
Repeat these steps for the CallManager
Request and download the certificates.
Complete these steps in order to request and download the
Go to http://<certificate server
address>/certsrv in order to open the Certificates Server web
Click Request a certificate.
The Request a Certificate web page
Click the advanced certificate request
The Advanced Certificate Request web page
Click the Submit a certificate request by using a
base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a
base-64-encoded PKCS #7 file link.
The Submit a Certificate Request or Renewal Request web page
Use one of these methods to choose the certificate file:
Paste the CSR file into the Base-64-encoded certificate request
Click the Browse button, and choose one of the
CSR files you just
In the Certificate Template drop-down list, choose Web
Server, and click Submit.
The Certificate Issued web page
On the Certificate Issued web page, click the DER
encoded radio button, and then click Download
Save the file to your local computer.
Repeat these steps in order to request and download the other
Once you complete these steps, all certificates should be stored on
your local computer.
Upload the certificate to CallManager.
Complete these steps in order to upload the certificate to
On the Upload Certificate web page, click Upload
The Upload Certificate web page
Choose the certificate type you want to upload. (This example
uploads the Tomcat certificate.)
In the Root Certificate field, enter the name of the root
certificate associated with the Tomcat certificate. (For this example, the root
certificate name is uc-dc-1.der.)
From the Upload File field, choose the Tomcat certificate, and
click Upload File.
Repeat this process for each certificate you want to upload.
Once you complete these steps, the trust certificates are now
loaded, and the Tomcat and CallManager Certs are signed by our Microsoft Root
Restart the processes.
Once the certificates are loaded, you must restart the processes to
force them to use the new certificates. This examples restarts the CallManager
Complete these steps in order to restart the processes.
Navigate to the Cisco Unified Serviceability page, and open the
Control Center for feature services.
From the Console on the CallManager server, log in and type this
command in order to restart the Tomcat service:
utils service restart Cisco
This command updates the Tomcat service with the new
Repeat this entire process on all the servers in the
There is currently no verification procedure available for this