Certificates Overview
Certificates are used to secure identities and to build a trust relationship between the IM and Presence Service and another system. You can use certificates to connect the IM and Presence Service to Cisco Unified Communications Manager, to Cisco Jabber clients, or to any external server. Without certificates, it would be impossible to know if a rogue DNS server was used, or if you were routed to another server.
There are two main classes of certificates that the IM and Presence Service can use:
-
Self-signed Certificates—Self signed certificates are signed by the same server that issues the certificate. Within an enterprise, you may use self-signed certificates to connect with another internal system, provided none of those connections are travelling over an unsecure network. For example, the IM and Presence Service might generate self-signed certificates for an internal connection to Cisco Unified Communications Manager.
-
CA-signed Certificates—These are certificates that are signed by a third-party Certificate Authority (CA). These can be signed by a public CA (such as Verisign, Entrust or Digicert) or a server (like Windows 2003, Linux, Unix, IOS) that controls the validity of the server/service certificate. CA-signed certificates are more secure than self-signed certificates and are typically used for any WAN connections. For example, a Federation connection with another enterprise or an intercluster peer configuration that uses WAN connections would require CA-signed certificates to build a trust relationship with the external system.
CA-signed certificates are more secure than self-signed certificates. In general, self-signed certificates are considered fine for internal connections, but for any WAN connections or connections that go across the public internet, you should use CA-signed certificates.
Multi-Server Certificates
The IM and Presence Service also supports multi-server SAN certificates for some system services. When you generate a Certificate Signing Request (CSR) for a multi-server certificate, the resulting multi-server certificate and its associated chain of signing certificates are distributed automatically to all cluster nodes once the certificate is uploaded to any cluster node.
Certificate Types in the IM and Presence Service
Within the IM and Presence Service, the different system components require different types of certificates. The following table describes the different certificates that are required for clients and services on the IM and Presence Service.
Note |
If the certificate name ends in -ECDSA, then the certificate/key type is Elliptic Curve (EC). Otherwise, it is RSA. |
Certificate Type |
Service |
Certificate Trust Store |
Multi-Server Support |
Notes |
---|---|---|---|---|
tomcat, tomcat-ECDSA |
Cisco Client Profile Agent, Cisco AXL Web Service, Cisco Tomcat |
tomcat- trust |
Yes |
Presented to a Cisco Jabber client as part of client authentication for IM and Presence Service. Presented to a web browser when navigating the Cisco Unified CM IM and Presence Administration user interface. The associated trust-store is used to verify connections made by IM and Presence Service for the purposes of authenticating user credentials with a configured LDAP server. |
ipsec |
ipsec-trust |
No |
Used when an IPSec policy is enabled. |
|
cup, cup-ECDSA |
Cisco SIP Proxy, Cisco Presence Engine |
cup-trust |
No |
Presents the certificate to Expressway-C to get IM and Presence for SIP federated users. The IM and Presence proxy acts as both client and server. The Presence Engine uses these certificates for Exchange/Office 365 communication to get calendar presence. Presence Engine acts as a client only. |
cup-xmpp, cup-xmpp-ECDSA |
Cisco XCP Connection Manager, Cisco XCP Web Connection Manager, Cisco XCP Directory service, Cisco XCP Router service |
cup-xmpp-trust |
Yes |
Presented to a Cisco Jabber client, third-Party XMPP client, or a CAXL based application when the XMPP session is being created. The associated trust-store is used to verify connections made by Cisco XCP Directory service in performing LDAP search operations for third-party XMPP clients. The associated trust-store is used by the Cisco XCP Router service when establishing secure connections between IM and Presence Service servers if the Routing Communication Type is set to Router-to-Router. |
cup-xmpp-s2s, cup-xmpp-s2s-ECDSA |
Cisco XCP XMPP Federation Connection Manager |
cup-xmpp-trust |
Yes |
Presented for XMPP interdomain federation when connecting to externally federated XMPP systems. |