using server certificates that are signed by one of the following types of
Certificate Authority (CA):
- Public CA - A third-party
company verifies the server identity and issues a trusted certificate.
- Private CA - You create and
manage a local CA and issue trusted certificates.
process varies for each product and can vary between server versions. It is
beyond the scope of this document to provide detailed steps for every version
of each server. Refer the appropriate server documentation for detailed
instructions on how to get certificates signed by a CA.
following steps provide a high-level overview of the procedure:
|| Generate a
Certificate Signing Request (CSR) on each product that can present a certificate
to the client.
|| Submit each
CSR to the CA.
|| Upload the
certificates that the CA issues to each server.
Every server certificate
should have an associated root certificate present in the trust store on client
computers. Cisco UC applications validate the certificates that servers present
against the root certificates in the trust store.
If you get server
certificates signed by a public CA, the public CA should already have a root
certificate present in the trust store on the client computer. In this case,
you do not need to import root certificates on the client computers.
You should import
root certificates if the certificates are signed by a CA that does not already
exist in the trust store, such as a private CA.
SSO, the IdP and service providers must have CA signed certificates
with the correct domains in the CN or SAN. If the correct CA certificates are
not validated, the browser issues a pop up warning.
For example, when
the administrator points the browser to
https://www.cucm.com/ccmadmin; the CUCM portal
presents a CA certificate to the browser. When the browser is redirected to
https://www.idp.com/saml , the IdP presents a CA
certificate. The browser will check that the certificate presented by the
servers contains CN or SAN fields for that domain, and that the certificate is
signed by a trusted CA.
the customer has their own private CA, then that CA must be installed as a root
trust anchor on the computers that the administrator is launching their browser