Configuring the Trusted CA Certificate List on the VCS Expressway
The version of VCS Expressway you are using will determine how you configure the trusted CA certificate list.
VCS Expressway X7.2.2
The default trusted CA certificate list for VCS Expressway X7.2.2 contains 140 certificates. It is very likely the public root CA that issued your server certificate is already part of the default trusted CA certificate list.
For details on how to configure the trusted CA certificate list on VCS Expressway X7.2.2, go to Configuring the Trusted CA Certificate List on VCS Expressway X7.2.2.
VCS Expressway Upgraded from X7.2.2 to X8.1
If you upgraded your VCS Expressway from X7.2.2 to X8.1, the trusted CA certificate list from X7.2.2 will be retained.
For details on how to configure the trusted CA certificate list on VCS Expressway upgraded from X7.2.2 to X8.1, go to Configuring the Trusted CA Certificate List on VCS Expressway Upgraded from X7.2.2 to X8.1.
VCS Expressway X8.1
If you are using a freshly installed VCS Expressway X8.1, you will need to load your own list of trusted CA certificates, because it does not (by default) contain any certificates in its default trusted CA certificate list.
In addition, you will need to add the root certificate used by the WebEx cloud to the default trusted CA certificate list on your VCS Expressway, which is DST Root CA X3.
For details on how to configure the trusted CA certificate list on a freshly installed VCS Expressway X8.1, go to Configuring the Trusted CA Certificate List on VCS Expressway X8.1.
Configuring the Trusted CA Certificate List on VCS Expressway X7.2.2
If the default trusted CA certificate list is not currently in use, it is recommended that you reset it back to the default CA Certificate. This will simplify the process of ensuring the required certificates are in place.
Resetting the Trusted CA Certificate List on VCS Expressway X7.2.2
To reset the trusted CA certificate list on VCS Expressway X7.2.2, do the following:
Step 1 Go to Maintenance > Certificate management > Trusted CA certificate and click Reset to default CA certificate.
Note Your VCS Expressway must trust the certificate issuer of the server certificate that’s passed by the server during the client/server SSL Handshake, in this case the server will be the SIP Proxy in the WebEx Cloud.
The default trusted CA certificate list on the VCS Expressway already contains the public root CA Certificate for the server certificate that the cloud will present. The root CA for the WebEx cloud is DST Root CA X3 with an intermediate CA of Cisco SSCA2.
If the server certificate was issued by the root CA (rather than an intermediate CA), it is likely that the root certificate is part of the default trusted CA list.
Step 2 It is best practice to verify that the proper root certificate is present. You may do this by clicking Show CA certificate.
This will open in a new window displaying the default Trusted CA list that is currently loaded on the VCS Expressway.
Step 3 Search for the root CA that issued the server certificate.
If the server certificate is issued by the top-level root CA and NOT by an intermediate CA and the valid root CA certificate is present in the default trusted CA certificate list, then certificate configuration on your VCS Expressway is complete.
If the server certificate is issued by an intermediate CA, go to the next section.
Note If the certificate for the top-level root CA that issued your server certificate is not part of the default trusted CA certificate list, you must add it using the same procedure that is described for stacking the intermediate CA certificate, detailed in the next section.
Stacking the Intermediate CA Certificate in the Trusted CA Certificate List on VCS Expressway X7.2.2
In some cases, root CAs will use an intermediate CA to issue certificates.
If the server certificate is issued by an intermediate CA, then you’ll need to add the intermediate CA certificate to the default Trusted CA list.
Figure 5-1 Server Certificate in.CER File Format
Unless the public CA provided you the exact intermediate and root certificates that must be loaded, you can retrieve them from the server certificate. In some cases this is a better approach to ensure you’re that you’re stacking the correct intermediate CA certificate.
Step 1 Open the server certificate as a.CER file (see Figure 5-1)
Step 2 Click the Certification Path tab, double-click the Intermediate Certificate.
This will open the intermediate CA certificate in a separate certificate viewer.
Step 3 Make sure the ‘Issued to’ field displays the name of the Intermediate CA.
Step 4 Click the Details tab followed by Copy to File…
The ‘Welcome to the Certificate Export Wizard’ appears.
Step 5 Click Next.
Step 6 Choose Base-64 encoded X.509 (.CER) as the Export File Format and click Next.
Step 7 Name the file, click Next, and Finish.
Step 8 Copy the default Trusted CA list from the VCS Expressway by going to Maintenance > Certificate management > Trusted CA certificate and clicking Show CA Certificate. In the window that opens, select all contents.
Step 9 Paste the contents into a text editing application such as Notepad.
Step 10 Open the intermediate.cer file within a new window of your text editing application and copy the contents to your clipboard.
Step 11 Do a search for the existing root CA certificate within the text file that contains the contents of the default Trusted CA list.
Step 12 Paste the intermediate CA certificate above the root certificate.
Step 13 Save the text file as.PEM file (Example: NewDefaultCA.pem)
Note If the root CA is not part of the default trusted CA list. Follow same procedure of stacking the intermediate CA certificate.
Step 14 Click Browse, find your newly created/stacked Trusted CA list and click Open.
Step 15 Click Upload CA certificate.
Certificate configuration on your VCS Expressway X7.2.2 is complete.
For additional details on how to configure client/server certificates, including information about security terminology and definitions, refer to the “Cisco VCS Certificate Creation and Use Deployment Guide (X7.2)” at the following location:
https://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide_X7-2.pdf
Configuring the Trusted CA Certificate List on VCS Expressway Upgraded from X7.2.2 to X8.1
If the default trusted CA certificate list is not currently in use, it is recommended that you reset it back to the default CA Certificate. This will simplify the process of ensuring the required certificates are in place.
Resetting the Trusted CA Certificate List on VCS Expressway Upgraded from X7.2.2. to X8.1
To reset the trusted CA certificate list on VCS Expressway X8.1, do the following:
Step 1 Go to Maintenance > Security certificates > Trusted CA certificate and click Reset to default CA certificate.
Note Your VCS Expressway must trust the certificate issuer of the server certificate that’s passed by the server during the client/server SSL Handshake, in this case the server will be the SIP Proxy in the WebEx Cloud.
The default trusted CA certificate list on the VCS Expressway already contains the public root CA Certificate for the server certificate that the cloud will present. The root CA for the WebEx cloud is DST Root CA X3 with an intermediate CA of Cisco SSCA2.
If the server certificate was issued by the root CA (rather than an intermediate CA), it is likely that the root certificate is part of the default trusted CA list.
Step 2 It is best practice to verify that the proper root certificate is present. You may do this by clicking Show all (PEM file).
This will open in a new window displaying the default Trusted CA list that is currently loaded on the VCS Expressway.
Step 3 Search for the root CA that issued the server certificate.
If the server certificate is issued by the top-level root CA and NOT by an intermediate CA and the valid root CA certificate is present in the default trusted CA certificate list, then certificate configuration on your VCS Expressway is complete.
If the server certificate is issued by an intermediate CA or if the certificate for the top-level root CA that issued your server certificate is not part of the trusted CA certificate list, you must add it to the trusted CA certificate list, as detailed in the next section.
Adding the Intermediate CA Certificate to VCS Expressway X8.1
In some cases, root CAs will use an intermediate CA to issue certificates.
If the server certificate is issued by an intermediate CA, then you’ll need to add the intermediate CA certificate to the default trusted CA certificate list.
Figure 5-2 Server Certificate in.CER File Format
Unless the public CA provided you the exact intermediate and root certificates that must be loaded, you can retrieve them from the server certificate. In some cases this is a better approach to ensure you’re that you’re stacking the correct intermediate CA certificate.
Step 1 Open the server certificate as a.CER file (see Figure 5-2)
Step 2 Click the Certification Path tab.
Step 3 Double-click the Intermediate Certificate.
This will open the intermediate CA certificate in a separate certificate viewer.
Step 4 Make sure the ‘Issued to’ field displays the name of the Intermediate CA.
Step 5 Click the Details tab followed by Copy to File…
The ‘Welcome to the Certificate Export Wizard’ appears.
Step 6 Click Next.
Step 7 Choose Base-64 encoded X.509 (.CER) as the Export File Format and click Next.
Step 8 Name the file, click Next, and Finish.
Step 9 Change the extension of your intermediate CA certificate from.cer to.pem.
For example: intermediate.pem
Step 10 In VCS Expressway X8.1, go to Maintenance > Security certificates > Trusted CA certificate.
Step 11 Click Browse, find your intermediate CA certificate and click Open.
Step 12 Click Append CA certificate.
Certificate configuration on your VCS Expressway X8.1 is complete.
For additional details on how to configure client/server certificates, including information about security terminology and definitions, refer to the “Cisco VCS Certificate Creation and Use Deployment Guide (X8.1)” at the following location:
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
Configuring the Trusted CA Certificate List on VCS Expressway X8.1
Because a freshly installed VCS Expressway X8.1, does not have certificates in its trusted CA certificates list, you must add the following two certificates:
- The DST Root CA certificate (the root CA for the WebEx cloud)
- The CA certificate of the CA that issued your server certificate
Adding the DST Root Certificate to VCS Expressway X8.1
Your VCS Expressway must trust the certificate issuer of the server certificate that’s passed by the server during the client/server SSL Handshake, in this case the server will be the SIP Proxy in the WebEx Cloud, which is DST Root CA.
To add the DST Root certificate to the trusted CA certificate list on VCS Expressway X8.1, do the following:
Step 1 Go to: http://www.identrust.com/doc/SSLTrustIDCAA5_DSTCAX3.p7b
A page with the DST Root certificate contents appears with “-----Begin Certificate-----” at the top.
Step 2 Select and copy the entire contents of the page.
Step 3 Open a text editor, such as Notepad, on your computer and paste the contents of the DST Root certificate.
Step 4 Save the text file with an extension of.PEM. For example: dst_root_ca.pem.
Step 5 In VCS Expressway X8.1, go to Maintenance > Security certificates > Trusted CA certificate.
Step 6 Click Browse, select the DST Root certificate you saved in step 4 and click Open.
Step 7 Click Append CA certificate.
Adding the Root or Intermediate CA Certificate to VCS Expressway X8.1
For the WebEx cloud to trust your VCS Expressway’s server certificate, you must add the root or intermediate CA certificate for the CA that issued your server certificate.
Unless the public CA provided you the exact intermediate or root certificates that must be loaded, you can retrieve them from the server certificate. In some cases this is a better approach to ensure you’re that you’re stacking the correct intermediate CA certificate.
To add the root or intermediate CA to VCS Expressway X8.1, do the following:
Step 1 Open the server certificate as a.CER file
Step 2 Click the Certification Path tab. (see Figure 5-3)
Figure 5-3 Server Certificate from Intermediate CA in.CER File Format
Note The server certificate example shown here is one issued by an intermediate CA. If your certificate was issued by a root CA, you would only see 2 certificates (the root and server certificates).
Step 3 Open the CA certificate:
- If your certificate was issued by a root CA, double-click the Root CA Certificate.
- If your certificate was issued by an intermediate CA, double-click the Intermediate Certificate.
This will open the CA certificate in a separate certificate viewer.
Step 4 Make sure the ‘Issued to’ field displays the name of the root or intermediate CA.
Step 5 Click the Details tab followed by Copy to File…
The ‘Welcome to the Certificate Export Wizard’ appears.
Step 6 Click Next.
Step 7 Choose Base-64 encoded X.509 (.CER) as the Export File Format and click Next.
Step 8 Name the file, click Next, and Finish.
Step 9 Change the extension of your root or intermediate CA certificate from.cer to.pem.
For example: root.pem or intermediate.pem
Step 10 In VCS Expressway X8.1, go to Maintenance > Security certificates > Trusted CA certificate.
Step 11 Click Browse, find your root or intermediate CA certificate and click Open.
Step 12 Click Append CA certificate.
Certificate configuration on your VCS Expressway X8.1 is complete.
For additional details on how to configure client/server certificates, including information about security terminology and definitions, refer to the “Cisco VCS Certificate Creation and Use Deployment Guide (X8.1)” at the following location:
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf