This document helps configure SIP Transport Layer Security (TLS) between Cisco Unified Communication Manager (CUCM) and Cisco Unified Border Element (CUBE)
Cisco recommends to have knowledge of these subjects
Date and time must match on the endpoints (it is recommended to have the same NTP source).
CUCM must be in mixed mode.
TCP connectivity is required (Open port 5061 on any transit firewall).
The CUBE must have the security and UCK9 licenses installed.
Step 1. Create a trustpoint in order to hold CUBE's selfsigned certificate
crypto pki trustpoint CUBEtest(this can be any name)
subject-name cn= ISR4451-B.cisco.lab !(this has to match the router’s host name)
rsakeypair ISR4451-B.cisco.lab !(this has to match the router's host name)
Step 2. Once the trust point is created you run the command Crypto pki enroll CUBEtest in order to get self-signed certerticates
crypto pki enroll CUBEtest
% The fully-qualified domain name will not be included in the certificate
Generate Self Signed Router Certificate? [yes/no]: yes
If enrollment was correct you must expect the this output
Router Self Signed Certificate successfully created
Step 3. After your obtain certificate , you need to export it
crypto pki export CUBEtest pem terminal
The above command must generate the below certificate
Step 5. Download the Call manager self-signed certificate
Find the certificate that says Callmanager
Click on the host name
Click on download PEM file
Save it to your computer
Step 6. Upload the Callmanager.pem certificate to CUBE
Open the Callmanager.pem with a text file editor
Copy the whole content of the file
Run the this commands on the CUBE
crypto pki trustpoint CUCMHOSTNAME
crypto pku authenticate CUCMHOSTNAME
(PASTE THE CUCM CERT HERE AND THEN PRESS ENTER TWICE)
You will then see the following:
Certificate has the following attributes:
Fingerprint MD5: B9CABE35 24B11EE3 C58C9A9F 02DB16BC
Fingerprint SHA1: EC164F6C 96CDC1C9 E7CA0933 8C7518D4 443E0E84
% Do you accept this certificate? [yes/no]: yes
If everything was correct, you should see the following:
Trustpoint CA certificate accepted.
% Certificate successfully imported
Step 7. Configure SIP to use CUBE's selfsigned Certificate trustpoint