Cisco Unified Operating System Maintenance Guide for Cisco Unified Presence Release 8.0, 8.5, and 8.6
Managing Security Certificates in Cisco Unified Operating System
Downloads: This chapterpdf (PDF - 244.0KB) The complete bookPDF (PDF - 1.17MB) | Feedback

Managing Security Certificates in Cisco Unified Operating System

Table Of Contents

Managing Security Certificates in Cisco Unified Operating System

How to Manage Certificates and Certificate Trust Lists

Viewing Certificates

Downloading a Certificate or a Certificate Trust List

Deleting a Certificate

Regenerating a Certificate

Uploading a Certificate or a Certificate Trust List

Upload a Directory Trust Certificate

Uploading Signed Certificates to Multiple Clusters

Configuring Certificate Revocation

How to Use Third Party CA Certificates

Managing the Third-Party Certificate Process

Generating a Certificate Signing Request

Downloading a Certificate Signing Request

Monitoring Certificate Expiration Dates


Managing Security Certificates in Cisco Unified Operating System


The operating system security options enable you to manage security certificates in these two ways:

Certificate Management—Manages certificates, Certificate Trust Lists (CTL), and Certificate Signing Requests (CSR). You can display, upload, download, delete, and regenerate certificates.

Certificate Monitor—Allows you to monitor the expiration dates of the certificates on the server.

How to Manage Certificates and Certificate Trust Lists

How to Use Third Party CA Certificates

How to Manage Certificates and Certificate Trust Lists

Viewing Certificates

Downloading a Certificate or a Certificate Trust List

Deleting a Certificate

Regenerating a Certificate

Uploading a Certificate or a Certificate Trust List

Upload a Directory Trust Certificate

Uploading Signed Certificates to Multiple Clusters

Configuring Certificate Revocation

Viewing Certificates

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Perform one of the following actions:

If you want to:
Action

Filter the certificate list

Enter your search criteria, and use the Find controls as follows:

a. To filter or search records, perform one of the following actions:

From the first list box, select a search parameter.

From the second list box, select a search pattern.

Specify the appropriate search text, if applicable.

b. Select Find.

View details of a certificate or trust store

Select the .PEM or .DER file name of the certificate.

Return to the Certificate List window

a. Select Back To Find/List in the Related Links list.

b. Select Go.



Downloading a Certificate or a Certificate Trust List

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 If required, use the Find controls to filter the certificate list as follows:

a. To filter or search records, perform one of the following actions:

From the first list box, select a search parameter.

From the second list box, select a search pattern.

Specify the appropriate search text, if applicable.

b. Select Find.

Step 4 Select the file name of the certificate or CTL.

Step 5 Select Download.


Deleting a Certificate

A trusted certificate is the only type of certificate that you can delete. You can not delete a self-signed certificate that is generated by the system.


Caution Deleting a certificate can affect your system operations. If there is an existing CSR for the certificate you select from the Certificate list, it is deleted from the system and you must generate a new CSR. For more information, see Generating a Certificate Signing Request.

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 If required, use the Find controls to filter the certificate list as follows:

a. To filter or search records, perform one of the following actions:

From the first list box, select a search parameter.

From the second list box, select a search pattern.

Specify the appropriate search text, if applicable.

b. Select Find.

Step 4 Select the file name of the certificate or CTL.

Step 5 Select Delete.


Regenerating a Certificate

A certificate of type "cert" is the only type of certificate that you can regenerate.


Caution Regenerating a certificate can affect your system operations.

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Select Generate New.

Step 4 Select a certificate name from the Certificate Name list.

Table 5-1 Certificate Names and Descriptions

Name
Description

tomcat

This self-signed root certificate is generated during the installation of the HTTPS server.

ipsec

This self-signed root certificate is generated during the installation of secure IPSec server connections.

cup

This self-signed root certificate is generated during the installation of the Cisco Unified Presence server.

cup-xmpp

This self-signed root certificate is generated during the installation of the Cisco Unified Presence server.

cup-xmpp-s2s

This self-signed root certificate is generated during the installation of the Cisco Unified Presence server.


Note The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates.



Step 5 Select Generate New.


Troubleshooting Tips

Restart the Tomcat web server after you upload or regenerate a Tomcat certificate, in a Cisco Unified Presence cluster.

Uploading a Certificate or a Certificate Trust List


Caution Uploading a new certificate or certificate trust list (CTL) file can affect your system operations.

Before You Begin

The system does not distribute trust certificates to other cluster nodes automatically. If you need to have the same certificate on more than one node, you must upload the certificate to each node individually.

To access the Security menu items, you must sign out and sign back in to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Select Upload Certificate.

Step 4 Select the name of the certificate or CTL from the Certificate Name list.

Step 5 Select the file to upload by completing one or of the following actions:

Enter the path to the file in the Upload File text box.

Select Browse and navigate to the file.

Select Open.

Step 6 Select Upload File to upload the file to the server.

Step 7 Restart the services affected by the new certificate.


Upload a Directory Trust Certificate

This procedure is applicable to Cisco Unified Presence Release 8.0 only.

Before You Begin

If uploading a root or intermediate certificate authority CA, wait 15 minutes for the audit job before adding these certificates to the trust store. Alternatively you can restart the Intercluster Sync Agent to force the audit job to run immediately.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Select Upload Certificate.

Step 4 Select directory-trust from the Certificate Name list.

Step 5 Enter the file to upload in the Upload File field.

Step 6 Select Upload File.

Step 7 Sign into Cisco Unified Serviceability.

Step 8 Select Tools > Control Center - Feature Services.

Step 9 Restart the service Cisco Dirsync.

Step 10 Sign in to the Cisco Unified Communications Operating System CLI as an administrator.

Step 11 Enter the command utils service restart Cisco Tomcat to restart the Tomcat service.

Step 12 After the services have been restarted, you can add the directory agreement for SSL.


Troubleshooting Tips

Upload root Certificate Authority (CA) certificates or intermediate CA certificates only to the trust store (for example, tomcat-trust, ipsec-trust, cup-trust, cup-xmpp-trust). Be aware that any other certificates uploaded to the trust stores may be deleted during an audit process.

Uploading Signed Certificates to Multiple Clusters

Use this procedure when a cluster has intercluster peers and you want to upload signed certificates to those peers.

Procedure


Step 1 Log in to each intercluster peer

Step 2 Select Presence > Inter-Clustering to ensure the server is not reporting any errors.

Step 3 If errors exist, run a force sync to synchronize the Certificates from the peer side.

Step 4 Upload the root and intermediate (if any) CA certificates to the server.

Step 5 Restart the interclustering service on the server to add the CA certificates to the trust store.

Step 6 Upload the signed certificate to the server.

Step 7 Ensure the server and its certificates are synchronized with their peers.

Step 8 Upload signed certificates only to the peers, root and intermediate CA certificates have already been synchronized from the first server.


Configuring Certificate Revocation

You must upload the Online Certificate Status Protocol (OCSP) to tomcat-trust before enabling OCSP.

You can use the OCSP to obtain the revocation status of the certificate. To configure the OCSP, follow this procedure.


Note This feature is only applicable to Cisco Unified Presence Release 8.6(4) and later.


Procedure


Step 1 Navigate to Security > Certificate Revocation.
The Certificate Revocation window displays.

Step 2 Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area.

Step 3 Choose one of the following options:

Option
Action

Use OCSP URI from Certificate

Choose this option if the certificate is configured with OCSP URI and is to be used to contact OCSP Responder.

To verify that there is an OCSP URI in the certificate, complete the following steps:

a. Select Security > Certificate Management.

b. Search for the certificate using the Find filters.

c. Select the .PEM file or .DER file link for the certificate.

d. In the Certificate Configuration window, ensure that there is an entry for Extension: AuthorityInfoAccessSyntax and that it has an accessLocation URL.

Use configured OCSP URI

Choose this option if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field.


Step 4 Select Save.
The certificate revocation status check is performed only during upload of a certificate or certificate chain. The appropriate alarm is raised if a certificate is revoked.



Note In Cisco Unified Presence Release 8.6(5) and later, you cannot upload CA-signed leaf certificates as trust certificates to the trust stores.


How to Use Third Party CA Certificates

Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR).

To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA. Get information about obtaining these certificates from your CA. The process varies among CAs.

CAPF and Cisco Unified Presence Certificate Signing Requests (CSRs) include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions that are listed in the final window of the CSR generation process.

Cisco Unified Communications Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in DER and DER encoding formats.

Cisco verified third-party certificates that were obtained from Microsoft, Keon, and Verisign CAs. Certificates from other CAs might work but have not been verified.

Managing the Third-Party Certificate Process

Generating a Certificate Signing Request

Downloading a Certificate Signing Request

Monitoring Certificate Expiration Dates

Managing the Third-Party Certificate Process

This procedure provides an overview of the third-party certificate process, with references to each step in sequence:

 
Task
For More Information

Step 1 

Generate a CSR on the server.

See Generating a Certificate Signing Request.

Step 2 

Download the CSR to your PC.

See Downloading a Certificate Signing Request.

Step 3 

Use the CSR to obtain an application certificate from a CA.

Get information about obtaining application certificates from your CA.

Step 4 

Obtain the CA root certificate.

Get information about obtaining a root certificate from your CA.

Step 5 

Upload the CA root certificate to the server.

See Uploading a Certificate or a Certificate Trust List.

Step 6 

Upload the application certificate to the server.

See Uploading a Certificate or a Certificate Trust List.

Step 7 

If you updated the certificate for CAPF or Cisco Unified Presence, generate a new CTL file.

See Uploading a Certificate or a Certificate Trust List.

Step 8 

Restart the services that are affected by the new certificate.

For all certificate types, restart the corresponding service (for example, restart the Tomcat service if you updated the Tomcat certificate).

For information about restarting services, see the Cisco Unified Serviceability Administration Guide for Cisco Unified Presence.

Generating a Certificate Signing Request

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

For the current release of the Cisco Unified Operating System, the Directory option is no longer available in the list of Certificate Names. However, you can still upload a Directory Trust certificate from a previous release, which is required for the DirSync service to work in Secure mode.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Select Generate CSR.

Step 4 Select the certificate name from the Certificate Name list.

Step 5 Select Generate CSR.


Related Topics

Upload a Directory Trust Certificate.

Downloading a Certificate Signing Request

Before You Begin

To access the Security menu items, you must sign in again to Cisco Unified Communications Operating System Administration using your Administrator password.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Management.

Step 3 Select Download CSR.

Step 4 Select the certificate name from the Certificate Name list.

Step 5 Select Download CSR.


Monitoring Certificate Expiration Dates

The system can automatically send you an email when a certificate is close to its expiration date.

Procedure


Step 1 Sign in to Cisco Unified Communications Operating System Administration.

Step 2 Select Security > Certificate Monitor to view the current Certificate Expiration Monitor configuration.

Step 3 Enter the required configuration information.

Table 5-2 Certificate Monitor Field Descriptions 

Field
Description

Notification Start Time

Enter the number of days before the certificate expires that you want to be notified.

Notification Frequency

Enter the frequency for notification, either in hours or days.

Enable E-mail Notification

Check the check box to enable email notification.

E-mail IDs

Enter the email address to which you want notifications sent.

Note For the system to send notifications, you must configure an SMTP host.