This topic covers the following certificate requirements for Mobile and Remote Access (MRA):
-
Certificate exchange requirements for your UC servers
-
Certificate signing request (CSR) requirements for Expressway servers that deploy MRA
-
Managing mTLS Client Certificate for MRA Onboarding
Upload all CA-signed certificates that sign the Expressway server certificate or are referenced in the certificate chain before
uploading a new Expressway server certificate. The Expressway must always have the full CA-signed certificate chain in its
trusted store.
Remember
|
Remove any CA certificates that are not needed anymore.
|
Certificate Exchange Requirements
We recommend that you use CA-signed certificates for Mobile and Remote Access.
The following table shows the certificates that each application uses for Mobile and Remote Access along with the certificate
upload requirements for those applications.
This table assumes that you're using CA-signed certificates for all certificates that MRA uses.
Table 4. Certificate Exchange Requirements (CA-Signed Certificates)
UC application
|
Presents these certificates for MRA
|
Exchange Requirements
|
Unified CM
|
CallManager,
Tomcat
|
Each Unified CM cluster must trust the Expressway-C certificate. For each cluster, make sure of the following:
-
If Mixed mode is enabled—The Expressway-C certificate must be installed to the CallManager-trust and Tomcat-trust store on Unified CM.
-
If Mixed mode is disabled—The root CA certificate that signs the Expressway-C certificate must be installed to the CallManager-trust and Tomcat-trust store on Unified CM. And, restart the following:
|
IM and Presence Service
|
cup-xmpp
Tomcat
|
Each IM and Presence Service cluster must trust the Expressway-C certificate. For each cluster, make sure of the following:
The root CA certificate that signs the Expressway-C certificate is installed to the cup-xmpp-trust and Tomcat-trust store of the IM and Presence Service.
|
Unity Connection
|
Tomcat
|
The Parameter used to define the Unity node within the Host Name/IP Address of Unified CM UC Service configuration (FQDN
preferred) must be present within the Unity tomcat certificate as Subject Alternative Name (SAN).
|
Expressway-C
|
Expressway-C certificate (CA-signed)
|
Expressway-C must trust the certificates presented by each Unified CM and IM and Presence Service cluster. In addition, Expressway-C
must trust the Expressway-E certificates. Make sure of the following:
-
Expressway-C's trusted CA list must include the root CA certificate that signs the Unified CM and IM and Presence Service
certificates for all UC clusters.
-
Expressway-C's trusted CA list must include the CA certificate chain (root and intermediatecertificates) that signs the Expressway-E certificate.
-
If appropriate, Expressway-C's trusted CA list must include any endpoint certificates.
-
Note: Make sure that you add all root and intermediate Certificate Authority (CA) certificates or full Certificate Authority (CA) chain used to sign the Expressway-C certificate
to the tomcat-trust and CallManager-trust list of Cisco Unified Communications Manager (UCM), even though the UCM is operating in the non-secure mode.
Reason - The traffic server service in Expressway sends its certificate whenever a server (UCM) requests it. These requests are
for services running on ports other than 8443 (for example, ports 6971, 6972,...). This enforces certificate verification
even if UCM is in non-secure mode.
|
Expressway-E
|
Expressway-E certificate (CA-signed)
|
Expressway-E must trust the Expressway-C certificate. Make sure of the following:
-
Expressway-E's trusted CA list must include the CA certificate chain (root and intermediate certificates) that signs the Expressway-C
certificate.
-
If appropriate, Expressway-E's trusted CA list must include any endpoint certificates.
|
Certificate management is simplified if you use the same CA to sign certificates for all applications as it is already installed
on each application. However, you may want to limit certificate costs by using a public CA for Expressway-E and an enterprise
CA for internal applications.
Server certificate verification is the default for X14.2 or later releases. If you use self-signed certificates for Cisco
Unified Communications Manager (CallManager, Tomcat), the IM and Presence Service (cup-xmpp, Tomcat) for Mobile and Remote
Access, upload them to the Expressway-C trusted CA-signed store.
You need not upload self-signed Unified CM and IM and Presence Service certificates to the Expressway-C trusted CA-signed
store if your Expressway-C version is earlier than X14.2 release.
You can also choose to disable server certificate verification in X14.2 or later releases. This means you need not upload
the Unified CM, IM and Presence Service certificates to the Expressway-C trusted CA-signed store. This is not a recommended
option.
Note
|
For the UC traversal zone between Expressway-C and Expressway-E, it's not sufficient to install the root CA certificate that
the other Expressway application uses. You must install the CA certificate chain (root plus intermediate certificates) that
the other Expressway application uses.
|
CSR Requirements for Expressway Servers
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant Subject Alternative Name (SAN)
entries as appropriate for the Unified Communications features that are supported on that Expressway.
The following table highlights CSR requirements when generating the Expressway-C and Expressway-E certificates for Mobile
and Remote Access.
Table 5. CSR Requirements for Expressway Servers with Mobile and Remote Access
CSR Extension
|
Expressway-C Requirement
|
Expressway-E Requirement
|
Subject Alternative Names
|
The Expressway-C list of Subject Alternative Names must include:
-
Phone Security Profiles used by MRA endpoints
-
Expressway cluster name (for clustered Expressways only)
-
IM and Presence chat node aliases (for Federated group chat)
|
The Expressway-E list of Subject Alternative Names must include:
|
Client Authentication
|
The certificate must include the Client Authentication extension. The system won't let you upload a certificate without this
extension.
Note
|
Make sure that the CA that signs the request doesn't strip out the client authentication extension.
|
|
The certificate must include the Client Authentication extension. The system won't let you upload a certificate without this
extension.
Note
|
Make sure that the CA that signs the request doesn't strip out the client authentication extension.
|
|
Note
|
We recommend that you use DNS format for the chat node aliases when generating the CSRs for both Expressways.
|
Note
|
Expressway-C automatically includes the chat node aliases in the certificate signing request (CSR), providing it has discovered
a set of IM and Presence Service servers.
|
Generating CSRs and Uploading Certificates on Expressway
The following steps describe how to generate CSRs and upload certificates onto Expressway.
-
Go to to generate a CSR and upload a server certificate to Expressway.
-
Go to and upload trusted Certificate Authority (CA) certificates to Expressway.
-
Restart the Expressway for the new trusted CA certificate to take effect.
Note
|
For detailed procedures and information on how to use the Certificate Signing Request tool to generate CSRs for Cisco Expressway
certificates, and how to upload and download certificates on Expressway refer to the Cisco Expressway Certificate Creation and Use Deployment Guide on the Expressway Configuration Guides page.
|
Managing mTLS Client Certificate for MRA Onboarding
If your MRA client presents a client certificate, please ensure to add the CA certificate that signed the client certificate
to the mTLS CA trust list.
Note
|
Expressway uses mTLS for any MRA connections. mTLS is activated for all MRA connections once Activation Code Onboarding is
enabled. This can alter the behavior of the Jabber Client depending on the Operating System.
If you are using Jabber on an Apple Computer, a pop-up will request you to select a certificate from the local trust store. If no certificate is chosen, the MRA login still works since mTLS does not need Jabber MRA logins. Only IP Phones need mTLS.
|
The CA certificate page for mTLS is accessed from the Trusted CA certificate page ().
This page only applies if you use Expressway for Mobile and Remote Access (MRA) with Cisco Unified Communications products,
and onboarding with activation codes is enabled for MRA.
The following steps describe how to upload mTLS certificates onto Expressway
-
Go to .
-
Click Activation Code onboarding trusted CA certificate link under Related tasks to upload CA certificate for mTLS connection.
-
Upload CA certificate and click Append CA certificate for mTLS.