Certificates Overview
A certificate is a file that contains the certificate holder name, public key and digital signature of the certificate authority that is issuing the certificate. A certificate proves the identity of the owner of the certificate.
Unified Communications Manager uses certificates that use the public-key infrastructure (PKI) in order to validate server and client identity and to enable encryption. When another system (for example, a phone or media server) tries to connect to Unified Communications Manager, it presents its certificate to Unified Communications Manager in order to verify its identity. Unified Communications Manager will not trust the other system, and will deny access, unless it has a matching certificate in the appropriate trust store.
Unified Communications Manager uses two broad classes of certificates:
-
Self-signed Certificates—By default, Unified Communications Manager uses self-signed certificates. These are certificates where Unified Communications Manager itself signs the certificate in order to confirm the identity of the server or client. Unified Communications Manager can issue self-signed certificates for itself, or for LSC certificates on behalf of phones via the Certificate Authority Proxy Function.
-
CA-signed certificates—You can also configure Unified Communications Manager to use certificates that are signed by a third-party certificate authority (CA). You must complete a Certificate Signing Request (CSR) to have the CA sign a certificate on behalf of Unified Communications. The CA receives the request and issues CA-signed certificates. To use CA-signed certificates, you must first install the CA root certificate chain on Unified Communications Manager.
Note |
Typically, self-signed certificates are accepted for internal connections that do not cross a company firewall. However, for WAN connections, or for connections that use the public internet, you should use CA-signed certificates. |
Note |
Generalized Time values for X.509 PKI certificates must be expressed in Greenwich Mean Time (GMT) and must include seconds (YYYYMMDDHHMMSSZ). Fractional seconds are not allowed. Certificates that violate this rule, whether offered from a peer entity, or loaded in the trust store, may fail the certificate verification process. |
CTL File
The Cisco Certificate Trust List is a file that is created when you enable mixed mode by the Cisco CTL Client or by running one of the utils ctl CLI commands (for example, utils ctl update CTLFile). When mixed mode is enabled, the CTL file gets installed on Cisco IP Phones via the TFTP server. The CTL file contains a list of certificates for phones to trust, including the Certificate Authority Proxy Function system certificate and other certificates.
For details on how to configure the CTL File, see the CTL Client Setup chapter.
TLS
Transport Line Signaling (TLS) uses CA-signed certificates. When TLS is configured, the other system presents its certificate to Unified Communications Manager as part of the initial connection setup. If Unified Communications Manager has the other system's certificate installed, it trusts the other system, and communication occurs. If the other system's certificate is not present, the other system is untrusted, and communication fails.
Third-Party CA-Signed Certificates
CA-Signed certificates are trusted third party certificates which signs and issues digital certificates.
By default, Unified Communications Manager uses self-signed certificates for all connections. However, you can add security by configuring a third-party CA to sign certificates. To use a third-party CA, install the CA root certificate chain in Cisco Unified Communications Manager Administration.
To issue CA-signed certificates, submit a Certificate Signing Request (CSR) so that the CA can issue and sign a certificate. For details on how to Upload, Download, and View Certificates, see the Self-Signed Certificates section.
Configuration
If you want to use CA-signed certificates from another system connecting to Unified Communications Manager, do the following in Cisco Unified Communications Manager Administration:
-
Upload the root certificate chain of the CA that signed the certificates.
-
Upload the CA-signed certificates from the other system.
If you want to use CA-signed certificates for Unified Communications Manager:
-
Complete a CSR to request CA-signed certificates in Cisco Unified Communications Manager Administration.
-
Download both the CA root certificate chain and the CA-signed certificates in Cisco Unified Communications Manager Administration
-
Upload both the CA root certificate chain and the CA-signed certificates.
Certificate Signing Request Key Usage Extensions
The following tables display key usage extensions for Certificate Signing Requests (CSRs) for both Unified Communications Manager and the IM and Presence Service CA certificates.
Multi server |
Extended Key Usage |
Key Usage |
|||||||
---|---|---|---|---|---|---|---|---|---|
Server Authentication (1.3.6.1.5.5.7.3.1) |
Client Authentication (1.3.6.1.5.5.7.3.2) |
IP security end system (1.3.6.1.5.5.7.3.5) |
Digital Signature |
Key Encipherment |
Data Encipherment |
Key Cert Sign |
Key Agreement |
||
CallManager CallManager-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
|||
CAPF (publisher only) |
N |
Y |
Y |
N |
Y |
||||
ipsec |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
tomcat tomcat-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
|||
TVS |
N |
Y |
Y |
Y |
Y |
Y |
Multi server |
Extended Key Usage |
Key Usage |
|||||||
---|---|---|---|---|---|---|---|---|---|
Server Authentication (1.3.6.1.5.5.7.3.1) |
Client Authentication (1.3.6.1.5.5.7.3.2) |
IP security end system (1.3.6.1.5.5.7.3.5) |
Digital Signature |
Key Encipherment |
Data Encipherment |
Key Cert Sign |
Key Agreement |
||
cup cup-ECDSA |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
cup-xmpp cup-xmpp-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
||
cup-xmpp-s2s cup-xmpp-s2s-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
||
ipsec |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
tomcat tomcat-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Note |
Ensure that ‘Data Encipherment’ bit is not changed or removed as part of the CA-signing certificate process. |
Server Certificate Types
Server Certificates are basically to identify a server. The server certificates serve the rationale of encrypting and decrypting the content.
Self-signed (own) certificate types in Unified Communications Manager servers are as follows:
Unified Communications Manager imports the following certificate types to the Unified Communications Manager trust store:
Certificate Type |
Description |
---|---|
Cisco Unity server or Cisco Unity Connection certificate |
Cisco Unity and Cisco Unity Connection use this self-signed root certificate to sign the Cisco Unity SCCP and Cisco Unity Connection SCCP device certificates. For Cisco Unity, the Cisco Unity Telephony Integration Manager (UTIM) manages this certificate. For Cisco Unity Connection, Cisco Unity Connection Administration manages this certificate. |
Cisco Unity and Cisco Unity Connection SCCP device certificates |
Cisco Unity and Cisco Unity Connection SCCP devices use this signed certificate to establish a TLS connection with Unified Communications Manager. |
SIP Proxy server certificate |
A SIP user agent that connects via a SIP trunk authenticates to Unified Communications Manager if the CallManager trust store contains the SIP user agent certificate and if the SIP user agent contains the Unified Communications Manager certificate in its trust store. |
Note |
The certificate name represents a hash of the certificate subject name, which is based on the voice-mail server name. Every device (or port) gets issued a certificate that is rooted at the root certificate. |
The following additional trust store exists:
-
Common trust store for Tomcat and web applications
-
IPSec-trust
-
CAPF-trust
-
Userlicensing-trust
-
TVS-trust
-
Phone-SAST-trust
-
Phone-CTL-trust
For more information about CA trust certificates for Cisco Unity Connection, see the Administration Guide for Cisco Unified Communications Manager. These trust-certificates secure connections to Exchange or Meeting Place Express for fetching e-mails, calendar information, or contacts.