This document describes a process of generating self-signed certificates using SHA-256 certificate signature algorithm for Cisco Unified Contact Center Enterprise (UCCE) web services like Web Setup or CCE Administration.
Cisco UCCE has several web services hosted by Microsoft Internet Information Services (IIS) server. Microsoft IIS in UCCE deployment by default is using self-signed certificates with SHA-1 certificate signature algorithm.
SHA-1 algorithm is considered unsecure by most of the browsers, therefore at some point critical tools like CCE Administration used by supervisors for agent reskilling may become unavailable.
The solution to that problem is to generate SHA-256 certificates for IIS server to use.
Warning: It is recommended to use Certificate Authority signed certificates. So generating self-signed certificates described here should be considered as a temporary workaround to restore the service quickly.
Where the parameter after DnsName will specify certificate common name (CN). Replace the parameter after DnsName to the correct one for the server. The certificate will be generated with a validity of one year.
Note: Common name in the certificate has to match Fully Qualified Domain Name (FQDN) of the server.
3. Open Microsoft Management Console (MMC) tool. Select File -> Add/Remove Snap-In... -> select Certificates, choose Computer account and add it to the selected snap-ins. Press ok, then navigate to Console Root -> Certificates (Local Computer) -> Personal -> Certificates.
Ensure that the newly created certificate is present here. The certificate will not have friendly name configured, so it can be recognized based on its CN and expiration date.
Friendly name can be assigned to the certificate by selecting the certificate properties and filling Friendly name textbox with the appropriate name.
4. Start Internet Information Services (IIS) Manager. Select IIS Default Web Site and on the right pane choose Bindings. Select HTTPS -> Edit and from the SSL certificate list select self-signed SHA-256 generated certificate.
5. Restart "World Wide Web Publishing Service" service.
Note: There is no need to unbind or bind the certificate in SSL Encryption Utility tool.
Solution for Diagnostic Framework Portico
1. Repeat the steps 1-3.
A new self-signed certificate will be generated. For Portico tool there is another way of binding the certificate.
2. Remove the current certificate binding for Portico tool.
3. Bind the self-signed certificate generated for Portico.
Open the self-signed certificate generated for Portico tool and select Details tab. Copy the Thumbprint value to the text editor.
Note: In some text editors the thumbprint is automatically prepended with a question mark. Remove it.
Remove all space characters from the thumbprint and use it in the following command.