Feedback
Contents
- Security certificate management
- Certificates and certificate trust list management
- View certificates
- Download certificate or certificate trust list
- Delete certificate
- Regenerate certificate
- Upload certificate or certificate trust list
- Upload directory trust certificate
- Configure certificate revocation
- Third Party CA certificates
- Third-party certificate process management
- Generate certificate signing request
- Download certificate signing request
- Monitor certificate expiration dates
Security certificate management
Certificates and certificate trust list management
- View certificates
- Download certificate or certificate trust list
- Delete certificate
- Regenerate certificate
- Upload certificate or certificate trust list
- Upload directory trust certificate
- Configure certificate revocation
View certificates
Before You BeginProcedureTo access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
Download certificate or certificate trust list
Delete certificate
A trusted certificate is the only type of certificate that you can delete. You can not delete a self-signed certificate that is generated by the system.
Caution
Deleting a certificate can affect your system operations. If there is an existing CSR for the certificate you select from the Certificate list, it is deleted from the system and you must generate a new CSR.
Before You BeginProcedureTo access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
Related Tasks
Regenerate certificate
A certificate of type "cert" is the only type of certificate that you can regenerate.
Caution
Regenerating a certificate can affect your system operations.
Before You BeginProcedureTo access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
Upload certificate or certificate trust list
Caution
Uploading a new certificate or certificate trust list (CTL) file can affect your system operations.
Before You BeginProcedure
- The system does not distribute trust certificates to other cluster nodes automatically. If you need to have the same certificate on more than one node, you must upload the certificate to each node individually.
- To access the Security menu items, you must sign out and sign back in to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
Step 1 Sign in to Cisco Unified IM and Presence Operating System Administration. Step 2 Select . Step 3 Select Upload Certificate. Step 4 Select the name of the certificate or CTL from the Certificate Name list. Step 5 Select the file to upload by completing one or of the following actions: Step 6 Select Upload File to upload the file to the server. Step 7 Restart the services that are affected by the new certificate.
Upload directory trust certificate
Procedure
Step 1 Sign in to Cisco Unified IM and Presence Operating System Administration. Step 2 Select . Step 3 Select Upload Certificate. Step 4 Select directory-trust from the Certificate Name list. Step 5 Enter the file to upload in the Upload File field. Step 6 Select Upload File. Step 7 Sign into Cisco Unified IM and Presence Serviceability. Step 8 Select . Step 9 Restart the service Cisco Dirsync. Step 10 Sign in to the Cisco Unified IM and Presence Operating System Administration CLI as an administrator. Step 11 Enter the command utils service restart Cisco Tomcat to restart the Tomcat service. Step 12 After the services have been restarted, you can add the directory agreement for SSL.
Configure certificate revocation
You can use the OCSP to obtain the revocation status of the certificate. To configure OCSP, follow this procedure.
Before You BeginProcedureYou must upload the Online Certificate Status Protocol (OCSP) Responder certificate to tomcat-trust before enabling OCSP.
Step 1 Navigate to The Certificate Revocation window displays.
Step 2 Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area. Step 3 Choose one of the following options:
Option Description Use OCSP URI from Certificate Choose this option if the certificate is configured with OCSP URI and is to be used to contact OCSP Responder.
To verify that there is an OCSP URI in the certificate, complete the following steps:
Use configured OCSP URI Choose this option if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field.
Step 4 Select Save. The certificate revocation status check is performed only during upload of a certificate or certificate chain. The appropriate alarm will be raised if a certificate is revoked.
Third Party CA certificates
Cisco Unified Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR).
To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA. Get information about obtaining these certificates from your CA. The process varies among CAs.
CAPF and IM and Presence Certificate Signing Requests (CSRs) include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions that are listed in the final window of the CSR generation process.
Cisco Unified Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in DER and DER encoding formats.
Cisco verified third-party certificates that were obtained from Microsoft, Keon, and Verisign CAs. Certificates from other CAs might work but have not been verified.
- Third-party certificate process management
- Generate certificate signing request
- Download certificate signing request
- Monitor certificate expiration dates
Third-party certificate process management
This procedure provides an overview of the third-party certificate process, with references to each step in sequence:
Step 1 Step 2 Step 3 Get information about obtaining application certificates from your CA.
Step 4 Get information about obtaining a root certificate from your CA.
Step 5 Step 6 Step 7 If you updated the certificate for CAPF or IM and Presence, generate a new CTL file.
Step 8 Restart the services that are affected by the new certificate.
For all certificate types, restart the corresponding service (for example, restart the Tomcat service if you updated the Tomcat certificate).
For information about restarting services, see the Cisco Unified Serviceability Administration Guide.
Generate certificate signing request
Before You BeginProcedure
- To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
- For the current release of the Cisco Unified IM and Presence Operating System, the Directory option is no longer available in the list of Certificate Names. However, you can still upload a Directory Trust certificate from a previous release, which is required for the DirSync service to work in Secure mode.
Related Tasks
Download certificate signing request
Monitor certificate expiration dates
Procedure
Step 1 Sign in to Cisco Unified IM and Presence Operating System Administration. Step 2 Select to view the current Certificate Expiration Monitor configuration. Step 3 In the Notification Start Time field, enter the number of days before the certificate expires that you want to be notified. Step 4 In the Notification Frequency field, enter the frequency for notification, either in hours or days. Step 5 Check the Enable E-mail Notification check box to enable email notification. Step 6 In the E-mail IDs field, enter the email address to which you want notifications sent.
Note For the system to send notifications, you must configure an SMTP host.
