If you have a third-party CA-signed Exchange server
certificate, note that you must upload all CA certificates in the certificate
chain to
IM and Presence as a
IM and Presence Trust certificate (cup-trust).
Installation of the Certificate Authority (CA) service
Although the CA can run on the Exchange server, we recommend that you use a different Windows server as a Certificate Authority (also known as CA) to provide extended security for third-party certificate exchanges.
In order to install the CA
you must first install Internet Information Services (IIS) on a Windows Server
2003 computer. IIS is not installed with the default Windows 2003 installation.
Ensure that you have
Windows Server disc 1 and SP1 discs.
Procedure
Step 1
Select
Start > Control
Panel > Add or Remove Programs.
Step 2
Select
Add/Remove Windows Components in the Add or Remove Programs
window.
Step 3
On Page 1 of the Windows Components wizard, check
Certificate Services under Components and select
Yes when the Warning displays about domain membership and computer
renaming constraints.
Step 4
On page 2 of the Windows Components wizard, select
Stand-alone Root CA and select Next.
Step 5
On page 3 of the Windows Components wizard, enter the name of the server in the Common Name field for the
CA Server. If there is no DNS, type the IP address. Select Next.
Step 6
On page 4 of the Windows Components wizard, accept the defaults settings and select Next.
Step 7
Select
Yes when you are prompted to stop Internet Information
Services.
Step 8
Select
Yes when you are prompted to enable Active Server Pages (ASP).
Step 9
Select
Finish after the installation process completes.
Troubleshooting Tips
Remember that the CA is a third-party authority. The common name
of the CA should not be the same as the common name used to generate a CSR.
You must generate a Certificate Signing Request (CSR) on the
IIS server for Exchange, which is subsequently signed by the CA server.
If the Certificate has the Subject Alternative Name (SAN) field
populated, it must match the Common Name (CN) of the certificate.
Before You Begin
[Self-signed Certificates] Install the certificate CA
service if required.
Procedure
Step 1
From Administrative Tools, open Internet Information Services.
Step 2
Right-click
Default Web Site and select Properties.
Step 3
Select the
Directory Security tab.
Step 4
Select
Server Certificate and select Next.
Step 5
Select
Create a new certificate in the Server Certificate window and select Next.
Step 6
Select
Prepare the request now, but send it later in the Delayed or Immediate Request window and select Next.
Step 7
Accept the Default Web Site certificate name, choose 2048 for the bit length in the Name and Security Settings window, and select Next.
Step 8
Enter your company name in the Organization field and your company's organizational unit in the Organizational Unit field in the Organization Information window and select Next.
Step 9
Enter the Exchange Server hostname or IP
address in the Common Name field in the Your Site's Common Name window and select Next.
Note
The IIS certificate Common Name that you enter is used to
configure the Presence Gateway on
IM and Presence, and must be identical to the
Host (URI or IP address) you are trying to reach.
Step 10
Enter your geographical information in the Geographical Information window and select Next.
Step 11
Enter an appropriate filename for the certificate request and
specify the path and file name where you want to save your CSR in the Certificate Request File Name window and select Next.
Note
Make sure that you save the CSR without any extension (.txt)
and remember where you save it because you will need to be able to find this
CSR file later. Only use Notepad to open the file.
Step 12
Confirm that the information is correct in the Request File
Summary window and select Next.
You must generate a Certificate Signing Request (CSR) on the
IIS server for Exchange, which is subsequently signed by the CA server.
Procedure
Step 1
From Administrative Tools, open
Internet Information Services (IIS) Manager.
Step 2
Select the Exchange Server under Connections in the left frame of
the IIS Manager.
Step 3
Double-click
Server Certificates.
Step 4
Select
Create Certificate Request under Actions in the right frame of the IIS Manager.
Step 5
Enter the relevant information in the Distinguished Name Properties window, and select Next.
Enter the Exchange Server hostname or IP
address in the Common Name field.
Note
The IIS certificate Common Name that you enter is used to
configure the Presence Gateway on
IM and Presence, and must be identical to the
Host (URI or IP address) you are trying to reach.
Enter your Company name in the Organization field.
Enter the organizational unit that your company belongs to in
the Organizational Unit field.
Enter your geographic information.
Step 6
Accept the default Cryptographic service provider, choose 2048 for the bit length in the Cryptographic Service Provider Properties window and select Next.
Step 7
Enter an appropriate filename for the certificate request in the Certificate Request File Name window and select Next.
Note
Make sure that you save the CSR without any extension (.txt)
and remember where you save it because you will need to be able to find this
CSR file later. Only use Notepad to open the file.
Step 8
Confirm that the information is correct in the Request File
Summary window and select Next.
We recommend that the default SSL certificate, generated for
Exchange on IIS, should use the Fully Qualified Domain Name (FQDN) of the
Exchange server and be signed by a Certificate Authority that
IM and Presence trusts. This procedure allows the CA to sign the CSR from
Exchange IIS. Perform the following procedure on your CA server, and configure
the FQDN of the Exchange server in the:
Exchange certificate.
Presence Gateway field of
the Exchange Presence Gateway in
Cisco Unified Communications ManagerIM and Presence Administration.
Before You Begin
Generate a CSR on IIS of the Exchange server.
Procedure
Step 1
Copy the certificate request file to your CA server.
Step 2
Open one of the following URLs:
Windows 2003 or Windows 2008: http://local-server/certserv
or
Windows 2003: http://127.0.0.1/certserv
Windows 2008: http://127.0.0.1/certsrv
Step 3
Select
Request a certificate.
Step 4
Select
advanced certificate request.
Step 5
Select
Submit a certificate request by using a base-64-encoded CMC or
PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7
file.
Step 6
Using a text editor like Notepad, open the CSR that you generated.
Step 7
Copy all information from and including
-----BEGIN CERTIFICATE REQUEST
to and including
END CERTIFICATE REQUEST-----
Step 8
Paste the content of the CSR into the Certificate Request text box
Step 9
(Optional) By default the Certificate Template drop-down list
defaults to the Administrator template, which may or may not produce a valid
signed certificate appropriate for server authentication. If you have an
enterprise root CA, select the “Web Server”certificate template from the
Certificate Template drop-down list. The “Web Server” certificate template may
not display, and therefore this step may not apply, if you have already
modified your CA configuration.
Step 10
Select
Submit.
Step 11
In Administrative Tools, select
Start > Administrative
Tools > Certification > Authority > CA
name > Pending Request to open
the Certification Authority. The Certificate Authority window displays the
request you just submitted under Pending Requests.
Step 12
Right click on your request, and complete these actions:
Navigate to All Tasks.
Select
Issue.
Step 13
Select
Issued certificates and verify that your certificate has been
issued.
This procedure takes the signed CSR and uploads it onto IIS.
To upload the signed certificate, perform the following step on the computer
that you use to administer
IM and Presence.
Before You Begin
[Self-signed Certificates] Download the signed certificate.
[Third-party Certificates] Your Certificate Authority will
provide you with the signed certificate.
Procedure
Step 1
From Administrative Tools, open
Internet Information Services.
Step 2
Complete the following steps in the Internet Information Services
window:
Right click
Default Web Site
Select
Properties.
Step 3
Complete the following steps in the Default Web Site Properties
window:
Select the
Directory Security tab.
Select
Server Certificate.
Step 4
Select
Next when the
Web Server Certificate Wizard window displays.
Step 5
Complete the Web Server Certificate Wizard:
Window
Configuration Steps
Pending Certificate Request Window
Page 1 of 4
Select
Process the pending request and install the certificate and select Next.
Process a Pending Request Window
Page 2 of 4
Select
Browse to locate your certificate, navigate to the correct path and filename and select Next.
SSL Port Window
Page 3 of 4
Enter
443 for the SSL port and select Next.
Web Server Certificate Completion Window
Page 4 of 4
Select
Finish.
Troubleshooting Tips
If your certificate is not in the trusted certificates store, the
signed CSR will not be trusted. To establish trust, Complete these actions:
Select
View Certificate in the Directory Security tab.
Select
Details > Highlight
root certificate, and select
View.
Select the Details tab for the root certificate and install
the certificate.
This procedure takes the signed CSR and uploads it onto IIS. To upload the signed certificate, perform the following step on the computer that you use to administer IM and Presence.
Before You Begin
[Self-signed Certificates] Download the signed certificate.
[Third-party Certificates] Your Certificate Authority will provide you with the signed certificate.
Procedure
Step 1
From Administrative Tools, open Internet Information Services (IIS) Manager.
Step 2
Select the Exchange Server under Connections in the left frame of the IIS Manager.
Step 3
Double-click Server Certificates.
Step 4
Select Complete Certificate Request under Actions in the right frame of the IIS Manager.
Step 5
Complete these actions in the Specify Certificate Authority Response window:
Select the ellipsis [...] to locate your certificate.
Navigate to the correct path and filename.
Enter a user-friendly name for your certificate.
Select Ok. The certificate that you completed will display in the certificate list.
Step 6
Complete the following steps in the Internet Information Services window to bind the certificate:
Select Default Web Site.
Select Bindings under Actions in the right frame of the IIS Manager.
Step 7
Complete the following steps in the Site Bindings window:
Select https.
Select Edit
Step 8
Complete the following steps in the Edit Site Binding window:
Select the certificate that you just created from the SSL certificate list box. The "friendly name" that you applied to the certificate will display.
Open the URL specific to your windows platform type:
Windows server 2003 - http://127.0.0.1/certserv
Windows server 2008 - https://127.0.0.1/certsrv
Step 3
Select Download a CA certificate, certificate chain, or CRL.
Step 4
For the Encoding Method, select Base 64.
Step 5
Select Download CA Certificate.
Step 6
Save the certificate, certnew.cer, to the local disk.
Troubleshooting Tips
If you do not know the Subject Common Name (CN) of the root certificate, you can use an external certificate management tool to find this information. On a Windows operating system, right-click the certificate file with a .CER extension and open the certificate properties.
[Self-signed Certificates]
Download the root certificate.
[Third-party Certificates]
Request the root certificate from your Certificate Authority. If you have a
third-party CA-signed Exchange server certificate, note that you must upload
all CA certificates in the certificate chain to
IM and Presence as a Cisco Unified Presence Trust certificate
(cup-trust).
Procedure
Step 1
Use the Certificate Import Tool in
Cisco Unified Communications ManagerIM and Presence Administration to upload the certificate:
Upload the certificate via:
Actions
Certificate Import Tool in
Cisco Unified Communications ManagerIM and Presence Administration.
The Certificate Import tool simplifies the
process of installing trust certificates on IM and Presence and is the
primary method for certificate exchange. The tool allows you to specify the
host and port of the Exchange server and attempts to download the certificate
chain from the server. Once approved, the tool will automatically install
missing certificates.
Note
This procedure describes one way to access and
configure the Certificate Import Tool in
Cisco Unified Communications ManagerIM and Presence Administration. You can also
view a customized version of the Certificate Import Tool when you configure the
Exchange Presence Gateway for a specific type of calendaring integration
(select
Presence > Gateways).
Select
System > Security > Certificate
Import Tool in
Cisco Unified Communications ManagerIM and Presence Administration.
Select
CUP Trust as the Certificate Trust Store where you want to
install the certificates. This stores the Presence Engine trust certificates
required for Exchange Integration.
Enter one of these values to connect with the Exchange server:
IP address
Host name
FQDN
The value that you enter in this Peer Server field must
exactly match the IP address, host name or FQDN of the Exchange server.
Enter the port that is used to communicate with the Exchange
server. This value must match the available port on the Exchange server.
Select
Submit. After the tool finishes, it reports these states
for each test:
SSL Connection/Certificate Verification Status—indicates
whether or not the Certificate Import Tool succeeded in downloading
certificates from the specified peer server and whether or not a secure
connection has been established between
IM and Presence and the remote server. See
Troubleshooting SSL connection/certificate status.
Step 2
If the Certificate Import Tool indicates that certificates are
missing (typically the CA cert is missing on Microsoft servers), manually
upload the CA certificate(s) using the Cisco Unified OS Admin Certificate
Management window
Upload the certificate via:
Actions
Cisco Unified Operating System Administration
If the Exchange server does not provide the CA
certificates during the SSL/TLS handshake, you cannot use the Certificate
Import Tool to import those certificates. In this case, you must manually
import the missing certificates using the Certificate Management tool in Cisco
Unified OS Administration (select Security > Certificate Management).
Copy or FTP the
certnew.cer certificate file to the computer that you use
to administer your
IM and Presence server.
From the Navigation menu on the
Cisco Unified Communications ManagerIM and Presence Administration login window, select Cisco Unified IM and Presence OS
Administration and select
Go.
Enter your username and password for Cisco Unified IM and Presence Operating
System Administration and select
Login.
Select
Security > Certificate
Management.
Select
Upload Certificate in the Certificate List window.
Complete these actions when the Upload Certificate pop-up
window displays:
Select
cup-trust from the Certificate Name list box.
Enter the root certificate name without any extension.
Select
Browse and select
certnew.cer.
Select
Upload File.
Step 3
Return to the Certificate Import Tool (Step 1)
and verify that all status tests succeed.
Step 4
Restart the Cisco Presence Engine and SIP Proxy service after
you upload all Exchange trust certificates. Select
Cisco Unified IM and Presence Serviceability > Tools > Service
Activation.
Troubleshooting Tips
IM and Presence allows you to upload Exchange server trust
certificates with or without a Subject Common Name (CN).
If you use the Meeting Notification feature, you must restart
the Presence Engine and SIP Proxy for all types of certificates. After you
upload your certificates, go to Cisco Unified IM and Presence Serviceability and restart the
Presence Engine first followed by the Proxy restart. Note that this can affect
Calendaring connectivity.