Generate Certificate Authority (CA) Signed Certificate In CVP Call Server For SIP Transport Layer Security (TLS)

Introduction

This document describes how to generate CA signed certificate for Customer Voice Portal (CVP) call server and how to verify CVP call server certificate. From CVP version 11.6, Session Initiation Protocol (SIP) TLS communication is supported.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• CVP
• SIP

Components Used

The information in this document is based on CVP 11.6.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

Step1. Find password for keystore.

Navigate to c:\Cisco\CVP\conf\security.properties in CVP call server in order to find this password.

This file contains the password for keystore, which is required when operating keystore.

Step2. Create a temporary variable to avoid enter keystore password value every time.

Navigate to c:\Cisco\CVP\conf\security and run this command:

set kt=c:\Cisco\CVP\jre\bin\keytool.exe -storepass 592(!aT@Hbt{[c)b7n6{Mj6J[0P4C~X2?4!zv~5(@2*12Dm97 -storetype JCEKS -keystore .keystore

Note: Storepass must be replaced with your own keystore password.

Step3. Remove the existing call server certfiicate.

Navigate to c:\Cisco\CVP\conf\security to find the existing certificate. Run this command to delete the certificate:

%kt% -delete -alias callserver_certificate

After deletion of the certificate, this command can be used in order to verify all certificates in the CVP server:

%kt% -list

And in order to confirm if the call server certificate was deleted, run this command:

%kt% -list | findstr callserver

Step 4. Generate the key pair. You must use 2048 bits key pair. 

Navigate to c:\Cisco\CVP\conf\security and run this command:

%kt% -genkeypair -alias callserver_certificate -v -keysize 2048 -keyalg RSA

When you run this command, it asks for this information:

Note: You must use server's hostname as first name and last name.

Step5. Generate the new Certificate Signing Request (CSR).

Navigate to c:\Cisco\CVP\conf\security and run this command:

%kt% -certreq -alias callserver_certificate -file callserver.csr

Step6. Sign the CSR by internal CA or third-party C.

Navigate to c:\Cisco\CVP\conf\security in order to find this CSR file:

Step7. Install the Root CA.

Two certificates are copied to c:\Cisco\CVP\conf\security.

• Root CA certificate
• Signed Call Server Certificate 
  

Run this command:

%kt% -import -v -trustcacerts -alias root -file DC-Root.cer

In this lab, the Root CA cert is DC-Root.cer.

Step 8. Install Call server certificate which was signed by CA.

Navigate to c:\Cisco\CVP\conf\security

Run this command:

In this lab, the call server certificate is cvpcallserver.cer.

Step 9. Verify the new installed certificate

Note: Alias name is a fixed system value. You must use callserver_certificate.

Example:

Creation date: Aug 25, 2017

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=col115cvpcall02, OU=TAC, O=Cisco, L=Sydney, ST=NSW, C=AU

Issuer: CN=col115-COL115-CA, DC=col115, DC=org, DC=au

Serial number: 610000000e78c717ba3dd3dc2400000000000e

Valid from: Fri Aug 25 11:32:43 AEST 2017 until: Sat Aug 25 11:42:43 AEST 2018

Certificate fingerprints:

After completion of all these steps, CA signed certificate for call server was installed. This certificate is used when TLS connection for SIP is established.

Verify

These two commands can be used to list all certificates or only call server certificates:

%kt% -list

%kt% -list | findstr callserver

This command can be used to view certificate details:

Alias name: callserver_certificate

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information