Video Communication Server Certificate Authority Configuration Example

Introduction

This document describes certificate authentication on the Video Communication Server (VCS). A certificate identifies the VCS and contains names by which it is known and to which traffic is routed. If the VCS is known by multiple names for these purposes, such as if it is part of a cluster, this must be represented in the X.509 subject data. The certificate must contain the Fully Qualified Domain Name (FQDN) of both the VCS itself and of the cluster. If a certificate is shared across cluster peers, it must list all possible peer FQDNs.

A VCS needs certificates for:

• Secure HTTP with Transport Layer Security (TLS) (HTTPS) connectivity
• TLS connectivity for Session Initiation Protocol (SIP) signaling, endpoints, and neighbor zones
• Connections to other systems such as Cisco Unified Communications Manager (CUCM), Cisco TelePresence Management Suite (TMS), Lightweight Directory Access Protocol (LDAP) servers, and syslog servers

It uses its list of trusted Certificate Authority (CA) certificates and associated Certificate Revocation Lists (CRLs) in order to validate other devices that connect to it.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• VCS - Releases 8.1 and 8.1.1
• Certificate Authority - Microsoft Windows 2008 R2 Enterprise

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

VCS Release 8.1.1 supports the Collab Edge Mobile Remote Access (MRA) feature and requires a TLS connection between VCS-Control and VCS-Expressway.

In order to set up TLS, you need to upload necessary certificates on the VCS. You can complete this with these three methods:

• OpenSSL
• Enterprise CA
• Third-party CA

The TLS connection between VCS-Control and VCS-Expressway requires these two attributes:

• TLS Client Authentication
• TLS Web Server Authentication

This document concentrates on the Enterprise CA method as OpenSSL is already discussed in the VCS Certificate Deployment Guide.

When you install the CA, the web server certificate comes by default. However, this template cannot be used to generate the certificate for the TLS connection between VCS-Control and VCS-Expressway. If you try to upload the certificate to VCS, which is generated with just the web server attribute, you receive this error.

In order to verify this, select Maintenance > Server Certificate. Click Decode Certificate. Check the section "Extended Key Usage".

Configure

As stated earlier, for the TLS connection you need a client and web server attribute. Since there is not a default template, you can create one. Complete these steps in order to generate the new template with both the TLS Client Authentication and TLS Web Server Authentication attributes:

1. Open the Certificate Authority or go to the Microsoft Management Console (MMC) console. Click Add/Remove Snapin and select Certificate Authority. Expand the CA in the left pane and select Certificate Templates. Right-click the certificate template and select Manage.

   

2. Right-click the Web Server certificate template and select Duplicate Template.

   

3. Click the Windows Server 2003 Enterprise radio button (if you want the template to be available for web enrollment). Click OK.

   

4. Enter the template name in the Template display name field. Name the template as per your requirements, for example "web server client 2003".

   

5. Click the Extensions tab and select the Application policy. Click Edit.

   

6. In the Add Application Policy dialog box, select Client Authentication. Click OK.

   

7. In the Edit Application Policies Extension dialog box, click OK.

   

8. From the MMC console or the CA window, right-click Certificate Template. Select New > Certificate Template to Issue.

   

9. Select your newly created template in the Enable Certificate Templates dialog box. Verify the template in the Intended Purpose column. Click OK.

   

Verify

Use this section to confirm that your configuration works properly.

Complete these steps:

1. Verify that your requested certificate template is available in order to issue new certificates.

   

   Note: The template will be available for web enrollment only if you selected the template as Windows 2003 when you created the certificate template.

   

2. Follow the procedure to generate the Certificate Signing Request (CSR) from VCS and get the certificate signed with the new template.
3. Verify that the certificate has both the client and web server attribute available.

   

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

If the template is not available for web enrollment, determine if the user that accesses certsrv has the necessary permissions.

As stated previously, the Windows 2008 template will not be available for web enrollment. For more details, see 2008 Web Enrollment and Version 3 Templates.

Revision History