This document describes how to set up a Unified Communication Cluster with the use of a Certificate Authority (CA)-Signed Multi-Server Subject Alternate Name (SAN).
Cisco recommends that you have knowledge of these topics:
Cisco Unified Communications Manager (CUCM)
CUCM IM and Presence Version 10.5
Before you attempt this configuration, ensure these services are up and functional:
Cisco Platform Administrative Web Service
Cisco Tomcat service
In order to verify these services on a web interface, navigate to Cisco Unified Serviceability Page Services > Network Service > Select a server. In order to verify them on the CLI, enter the utils service list command.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
In CUCM Version 10.5 and later, this trust-store Certificate Signing Request (CSR) request can include SAN and alternate domains.
Cisco CallManager (CCM)
Cisco Unified Presence-Extensible Messaging and Presence Protocol (CUP-XMPP)
CUP-XMPP Server-to-Server (S2S)
It is simpler to obtain a CA-signed certificate in this version. Only one CSR is required to be signed by CA rather than the requirement to obtain a CSR from each server node and then obtain a CA-signed certificate for each CSR and manage them individually.
Log into Operating System (OS) Administration and navigate to Security > Certificate Management > Generate CSR.
Select Multi-Server SAN in Distribution.
It autopopulates the SAN domains and the parent domain.
Once it is generated, this displays:
In Certificate Management, the SAN Request is generated:
You can use the local CA or an External CA like VeriSign in order to get it signed. This example shows configuration steps for a Microsoft Windows Server-based CA.
Log into https://<windowsserveripaddress>/certsrv/
Select Request a Certificate > Advanced Certificate Request.
Submit the CSR request as shown here.
Once you obtain the certificate, you must upload the CA certificate as tomcat-trust and then upload the CA-signed certificate as tomcat.
Ensure the service is restarted on all nodes in the SAN list, which includes the node where it is uploaded. You see Multi-Server SAN listed in Certificate Management.
Log into http://<fqdnofccm>:8443/ccmadmin in order to ensure that the new certificate is used.
CallManager Multi-Server SAN Certificate
A similar procedure can be followed for the CallManager certificate. In this case, the autopopulated domains are all of the CallManager nodes. If it does not run, you can choose to keep it from the SAN list or remove it from there.
After you install the certificate issued by CA, you must restart the CallManager service on all nodes.
Before you get the CA-signed SAN certificate for CUCM, ensure that:
The IP Phone is able to trust the Trust Verification Service (TVS). This can be verified if you access any HTTPS service from the phone. For example, if Corporate Directory access works, then it means that the phone trusts TVS service.
If it is a secure cluster, ensure that the Certificate Trust List (CTL) client is rerun so that a new CTL file is created and the cluster is rebooted.
These logs should help the Cisco Technical Assistance Center identify any issues related to Multi-Server SAN CSR generation and upload of CA-Signed Certficate.
Cisco Unified OS Platform API
IPT Platform CertMgr Logs
In an existing Multi-Server Certifcate CUCM, if the hostname of the server changes, it is recommended to generate a multi-server SAN CSR request as explained previously in order to get the certificate signed by CA.