This document describes how to set up a Cisco Voice Operating System (CVOS) system cluster with the use of a Certificate Authority (CA)-Signed Multi-Server Subject Alternate Name (SAN).
CVOS system covers CUIC, Finesse, Livedata, IdS and VVB systems in UCCE environment.
With Multi-Server SAN certificates, only one CSR is required to be signed by CA for one cluster of nodes, rather than the requirement to obtain a CSR from each server node of the cluster and then obtain a CA-signed certificate for each CSR and manage them individually.
Edited by Randy Wu, Cisco TAC Engineers, and contributed by Venu Gopal Sane, Cisco Engineer.
Before you attempt this configuration, ensure these services are up and functional:
Cisco Tomcat service
Cisco Certificate Change Notification
Cisco Certificate Expiry Monitor
Cisco recommends that you have knowledge of these topics:
Cisco Unified Contact Center Enterprise (UCCE) Release 12.5
Cisco Package Contact Center Enterprise (PCCE) Release 12.5
Cisco Virtualized Voice Browser (CVVB) 12.5
Cisco Finesse 12.5
Cisco Unified Intelligence Center 12.5
CVOS Operating System administration - Certificate Management
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step1. Log into Operating System (OS) Administration and navigate toSecurity > Certificate Management > Generate CSR
Step2. Select Multi-Server SAN in Distribution
It auto populates the SAN domains and the parent domain.
Step3. Successful generation of CSR shows below message
Step4. Upon successful generation of CSR, generated CSR can be seen like below, which can be downloaded to sent to CA for sigining
Step5. Upload the CA signed certificate as type tomcat into the Publisher node of the cluster in certificate management page and follow the instructions displayed upon successful upload
Step6. After successful file uploaded, verify the certificate list showing new CA-signed certificate as type multi-SAN
Click on the new multi-SAN certificate, verify SubjectAltNames shows Domain Name and FQDNs of all cluster node(s)
Login to cmplatform page of Subscriber nodes and verify same multi-SAN certificate is populated using http://<any-node-fqdn>:8443/cmplatform
Collect the following certificate management logs from CLI access and open the case with Cisco TAC: