Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1) - Secure certificate exchange between IM and Presence and Microsoft Exchange [Cisco Unified Communications Manager (CallManager)]

Contents
Secure certificate exchange between IM and Presence and Microsoft Exchange
Management of Self-Signed and Third-Party Certificate Exchanges
Installation of the Certificate Authority (CA) service
Install CA on Windows Server 2003
Install CA on Windows Server 2008
Generation of a CSR on IIS of Exchange server
Generate a CSR (Windows Server 2003)
Generate a CSR (Windows Server 2008)
Submit CSR to CA server/certificate authority
Download signed certificate
Upload of signed certificate onto Exchange IIS
Upload signed certificate (Windows 2003)
Upload signed certificate (Windows 2008)
Download root certificate
Upload root certificate to IM and Presence server
Secure certificate exchange between IM and Presence and Microsoft Exchange

Management of Self-Signed and Third-Party Certificate Exchanges
Installation of the Certificate Authority (CA) service
Generation of a CSR on IIS of Exchange server
Submit CSR to CA server/certificate authority
Download signed certificate
Upload of signed certificate onto Exchange IIS
Download root certificate
Upload root certificate to IM and Presence server

Management of Self-Signed and Third-Party Certificate Exchanges

The following table provides an overview of the steps for configuring secure certificate exchange for self-signed and third-party certificates.

Table 1 Self-signed and Third-party Certificate Checklist

Configuration Steps

Procedures To Complete This Configuration

Step 1
Install the Certificate CA Service

Self-Signed Certificates

Installation of the Certificate Authority (CA) service

Step 2
Generate a CSR on IIS of Exchange server

Self-Signed Certificates

Generation of a CSR on IIS of Exchange server

Third-Party Certificates

Generation of a CSR on IIS of Exchange server

Step 3
Submit the CSR to the CA Server/Certificate Authority

Self-Signed Certificates

Submit CSR to CA server/certificate authority

Third-Party Certificates

Request the CSR from your Certificate Authority.

Step 4
Download the signed certificate

Self-Signed Certificates

Download signed certificate

Third-Party Certificates

Your Certificate Authority will provide you with the signed certificate.

Step 5
Upload the signed certificate onto Exchange IIS

Self-Signed Certificates

Upload of signed certificate onto Exchange IIS

Third-Party Certificates

Upload of signed certificate onto Exchange IIS

Step 6
Download the root certificate

Self-Signed Certificates

Download root certificate

Third-Party Certificates

Request the root certificate from your Certificate Authority.

Step 7
Upload the root certificate to the IM and Presence server

Self-Signed Certificates

Upload root certificate to IM and Presence server

Third-Party Certificates

If you have a third-party CA-signed Exchange server certificate, note that you must upload all CA certificates in the certificate chain to IM and Presence as a IM and Presence Trust certificate (cup-trust).

Installation of the Certificate Authority (CA) service

Although the CA can run on the Exchange server, we recommend that you use a different Windows server as a Certificate Authority (also known as CA) to provide extended security for third-party certificate exchanges.

Install CA on Windows Server 2003
Install CA on Windows Server 2008

Install CA on Windows Server 2003

Before You Begin
In order to install the CA you must first install Internet Information Services (IIS) on a Windows Server 2003 computer. IIS is not installed with the default Windows 2003 installation.

Ensure that you have Windows Server disc 1 and SP1 discs.

Procedure
Step 1   Select Start > Control Panel > Add or Remove Programs.

Step 2   Select Add/Remove Windows Components in the Add or Remove Programs window.

Step 3   On Page 1 of the Windows Components wizard, check Certificate Services under Components and select Yes when the Warning displays about domain membership and computer renaming constraints.

Step 4   On page 2 of the Windows Components wizard, select Stand-alone Root CA and select Next.

Step 5   On page 3 of the Windows Components wizard, enter the name of the server in the Common Name field for the CA Server. If there is no DNS, type the IP address. Select Next.

Step 6   On page 4 of the Windows Components wizard, accept the defaults settings and select Next.

Step 7   Select Yes when you are prompted to stop Internet Information Services.

Step 8   Select Yes when you are prompted to enable Active Server Pages (ASP).

Step 9   Select Finish after the installation process completes.
Troubleshooting Tips

Remember that the CA is a third-party authority. The common name of the CA should not be the same as the common name used to generate a CSR.

What to Do Next

Generate a CSR (Windows Server 2008)

Install CA on Windows Server 2008

Procedure
Step 1   Select Start > Administrative Tools > Server Manager.

Step 2   Select Roles in the console tree.

Step 3   Select Action > Add Roles.

Step 4   Complete the Add Roles wizard:

Window

Configuration Steps

Before You Begin Window

Page 1 of 13

Ensure that you have completed all prerequisites listed in the window and select Next.

Select Server Roles Window

Page 2 of 13
Check Active Directory Certificate Services and select Next.

Introduction Window

Page 3 of 13

Select Next.

Select Role Services Window

Page 4 of 13
Check these boxes and select Next:
Certificate Authority

Certificate Authority Web Enrollment

Online Responder

Specify Setup Type Window

Page 5 of 13

Select Standalone.

Specify CA Type Window

Page 6 of 13

Select Root CA.

Set Up Private Key Window

Page 7 of 13

Select Create a new private key.

Configure Cryptography for CA Window

Page 8 of 13

Select the default cryptographic service provider.

Configure CA Name Window

Page 9 of 13

Enter a common name to identify the CA.

Set Validity Period Window

Page 10 of 13

Set the validity period for the certificate generated for the CA.

Note
The CA will issue valid certificates only to the expiration date that you specify.

Configure Certificate Database Window

Page 11 of 13

Select the default certificate database locations.

Confirm Installation Selections Window

Page 12 of 13

Select Install.

Installation Results Window

Page 13 of 13
Verify that the Installation Succeeded message displays for all components and select Close.
Note
Active Directory Certificate Services is now listed as one of the roles on the Server Manager.

What to Do Next

Generation of a CSR on IIS of Exchange server

Generation of a CSR on IIS of Exchange server

Generate a CSR (Windows Server 2003)
Generate a CSR (Windows Server 2008)

Generate a CSR (Windows Server 2003)

You must generate a Certificate Signing Request (CSR) on the IIS server for Exchange, which is subsequently signed by the CA server. If the Certificate has the Subject Alternative Name (SAN) field populated, it must match the Common Name (CN) of the certificate.

Before You Begin
[Self-signed Certificates] Install the certificate CA service if required.

Procedure
Step 1   From Administrative Tools, open Internet Information Services.

Step 2   Right-click Default Web Site and select Properties.

Step 3   Select the Directory Security tab.

Step 4   Select Server Certificate and select Next.

Step 5   Select Create a new certificate in the Server Certificate window and select Next.

Step 6   Select Prepare the request now, but send it later in the Delayed or Immediate Request window and select Next.

Step 7   Accept the Default Web Site certificate name, choose 2048 for the bit length in the Name and Security Settings window, and select Next.

Step 8   Enter your company name in the Organization field and your company's organizational unit in the Organizational Unit field in the Organization Information window and select Next.

Step 9   Enter the Exchange Server hostname or IP address in the Common Name field in the Your Site's Common Name window and select Next.
Note
The IIS certificate Common Name that you enter is used to configure the Presence Gateway on IM and Presence, and must be identical to the Host (URI or IP address) you are trying to reach.

Step 10   Enter your geographical information in the Geographical Information window and select Next.

Step 11   Enter an appropriate filename for the certificate request and specify the path and file name where you want to save your CSR in the Certificate Request File Name window and select Next.
Note
Make sure that you save the CSR without any extension (.txt) and remember where you save it because you will need to be able to find this CSR file later. Only use Notepad to open the file.

Step 12   Confirm that the information is correct in the Request File Summary window and select Next.

Step 13   Select Finish.

What to Do Next

Submit CSR to CA server/certificate authority

Generate a CSR (Windows Server 2008)

You must generate a Certificate Signing Request (CSR) on the IIS server for Exchange, which is subsequently signed by the CA server.

Procedure
Step 1   From Administrative Tools, open Internet Information Services (IIS) Manager.

Step 2   Select the Exchange Server under Connections in the left frame of the IIS Manager.

Step 3   Double-click Server Certificates.

Step 4   Select Create Certificate Request under Actions in the right frame of the IIS Manager.

Step 5   Enter the relevant information in the Distinguished Name Properties window, and select Next.
Enter the Exchange Server hostname or IP address in the Common Name field.
Note
The IIS certificate Common Name that you enter is used to configure the Presence Gateway on IM and Presence, and must be identical to the Host (URI or IP address) you are trying to reach.

Enter your Company name in the Organization field.

Enter the organizational unit that your company belongs to in the Organizational Unit field.

Enter your geographic information.

Step 6   Accept the default Cryptographic service provider, choose 2048 for the bit length in the Cryptographic Service Provider Properties window and select Next.

Step 7   Enter an appropriate filename for the certificate request in the Certificate Request File Name window and select Next.
Note
Make sure that you save the CSR without any extension (.txt) and remember where you save it because you will need to be able to find this CSR file later. Only use Notepad to open the file.

Step 8   Confirm that the information is correct in the Request File Summary window and select Next.

Step 9   Select Finish.

What to Do Next

Submit CSR to CA server/certificate authority

Submit CSR to CA server/certificate authority

We recommend that the default SSL certificate, generated for Exchange on IIS, should use the Fully Qualified Domain Name (FQDN) of the Exchange server and be signed by a Certificate Authority that IM and Presence trusts. This procedure allows the CA to sign the CSR from Exchange IIS. Perform the following procedure on your CA server, and configure the FQDN of the Exchange server in the:

Exchange certificate.

Presence Gateway field of the Exchange Presence Gateway in Cisco Unified Communications Manager IM and Presence Administration.

Before You Begin
Generate a CSR on IIS of the Exchange server.

Procedure
Step 1   Copy the certificate request file to your CA server.

Step 2   Open one of the following URLs:
Windows 2003 or Windows 2008: http://local-server/certserv

or

Windows 2003: http://127.0.0.1/certserv

Windows 2008: http://127.0.0.1/certsrv

Step 3   Select Request a certificate.

Step 4   Select advanced certificate request.

Step 5   Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 6   Using a text editor like Notepad, open the CSR that you generated.

Step 7   Copy all information from and including
-----BEGIN CERTIFICATE REQUEST

to and including

END CERTIFICATE REQUEST-----

Step 8   Paste the content of the CSR into the Certificate Request text box

Step 9   (Optional) By default the Certificate Template drop-down list defaults to the Administrator template, which may or may not produce a valid signed certificate appropriate for server authentication. If you have an enterprise root CA, select the “Web Server”certificate template from the Certificate Template drop-down list. The “Web Server” certificate template may not display, and therefore this step may not apply, if you have already modified your CA configuration.

Step 10   Select Submit.

Step 11   In Administrative Tools, select Start > Administrative Tools > Certification > Authority > CA name > Pending Request to open the Certification Authority. The Certificate Authority window displays the request you just submitted under Pending Requests.

Step 12   Right click on your request, and complete these actions:
Navigate to All Tasks.

Select Issue.

Step 13   Select Issued certificates and verify that your certificate has been issued.

What to Do Next

Download signed certificate

Download signed certificate

Before You Begin
[Self-signed Certificates] Submit the CSR to the CA server.

[Third-Party Certificates] Request the CSR from your Certificate Authority.

Procedure
Step 1   In Administrative Tools, open the Certification Authority. The Certificate Request that you just issued displays in Issued Requests.

Step 2   Right click the request and select Open.

Step 3   Select the Details tab.

Step 4   Select Copy to File.

Step 5   Select Next when the Certificate Export Wizard displays.

Step 6   Complete the Certificate Export Wizard:
Window

Configuration Steps

Export File Format Window

Page 1 of 3
Select Base-64 encoded X.509 and select Next.

File to Export Window

Page 2 of 3
Enter the location where you want to store the certificate and use cert.cer for the certificate name, for example, c:\cert.cer. Select Next.

Certificate Export Wizard Completion Window

Page 3 of 3
Review the summary information and verify that the export was successful and select Finish.

Step 7   Copy or FTP the cert.cer to the computer that you use to administer IM and Presence.

What to Do Next
Upload of signed certificate onto Exchange IIS

Upload of signed certificate onto Exchange IIS

Upload signed certificate (Windows 2003)
Upload signed certificate (Windows 2008)

Upload signed certificate (Windows 2003)

This procedure takes the signed CSR and uploads it onto IIS. To upload the signed certificate, perform the following step on the computer that you use to administer IM and Presence.

Before You Begin
[Self-signed Certificates] Download the signed certificate.

[Third-party Certificates] Your Certificate Authority will provide you with the signed certificate.

Procedure
Step 1   From Administrative Tools, open Internet Information Services.

Step 2   Complete the following steps in the Internet Information Services window:
Right click Default Web Site

Select Properties.

Step 3   Complete the following steps in the Default Web Site Properties window:
Select the Directory Security tab.

Select Server Certificate.

Step 4   Select Next when the Web Server Certificate Wizard window displays.

Step 5   Complete the Web Server Certificate Wizard:

Window

Configuration Steps

Pending Certificate Request Window

Page 1 of 4
Select Process the pending request and install the certificate and select Next.

Process a Pending Request Window

Page 2 of 4
Select Browse to locate your certificate, navigate to the correct path and filename and select Next.

SSL Port Window

Page 3 of 4
Enter 443 for the SSL port and select Next.

Web Server Certificate Completion Window

Page 4 of 4

Select Finish.

Troubleshooting Tips

If your certificate is not in the trusted certificates store, the signed CSR will not be trusted. To establish trust, Complete these actions:

Select View Certificate in the Directory Security tab.

Select Details > Highlight root certificate, and select View.

Select the Details tab for the root certificate and install the certificate.

What to Do Next

Download root certificate

Upload signed certificate (Windows 2008)

This procedure takes the signed CSR and uploads it onto IIS. To upload the signed certificate, perform the following step on the computer that you use to administer IM and Presence.

Before You Begin
[Self-signed Certificates] Download the signed certificate.

[Third-party Certificates] Your Certificate Authority will provide you with the signed certificate.

Procedure
Step 1   From Administrative Tools, open Internet Information Services (IIS) Manager.

Step 2   Select the Exchange Server under Connections in the left frame of the IIS Manager.

Step 3   Double-click Server Certificates.

Step 4   Select Complete Certificate Request under Actions in the right frame of the IIS Manager.

Step 5   Complete these actions in the Specify Certificate Authority Response window:
Select the ellipsis [...] to locate your certificate.

Navigate to the correct path and filename.

Enter a user-friendly name for your certificate.

Select Ok. The certificate that you completed will display in the certificate list.

Step 6   Complete the following steps in the Internet Information Services window to bind the certificate:
Select Default Web Site.

Select Bindings under Actions in the right frame of the IIS Manager.

Step 7   Complete the following steps in the Site Bindings window:
Select https.

Select Edit

Step 8   Complete the following steps in the Edit Site Binding window:
Select the certificate that you just created from the SSL certificate list box. The "friendly name" that you applied to the certificate will display.

Select Ok.

What to Do Next
Download root certificate

Download root certificate

Before You Begin
Upload the Signed Certificate onto Exchange IIS.

Procedure
Step 1   Sign in to your CA server and open a web browser.

Step 2   Open the URL specific to your windows platform type:
Windows server 2003 - http://127.0.0.1/certserv

Windows server 2008 - https://127.0.0.1/certsrv

Step 3   Select Download a CA certificate, certificate chain, or CRL.

Step 4   For the Encoding Method, select Base 64.

Step 5   Select Download CA Certificate.

Step 6   Save the certificate, certnew.cer, to the local disk.
Troubleshooting Tips

If you do not know the Subject Common Name (CN) of the root certificate, you can use an external certificate management tool to find this information. On a Windows operating system, right-click the certificate file with a .CER extension and open the certificate properties.

What to Do Next
Upload root certificate to IM and Presence server

Upload root certificate to IM and Presence server

Before You Begin
[Self-signed Certificates] Download the root certificate.

[Third-party Certificates] Request the root certificate from your Certificate Authority. If you have a third-party CA-signed Exchange server certificate, note that you must upload all CA certificates in the certificate chain to IM and Presence as a Cisco Unified Presence Trust certificate (cup-trust).

Procedure
Step 1   Use the Certificate Import Tool in Cisco Unified Communications Manager IM and Presence Administration to upload the certificate:

Upload the certificate via:

Actions

Certificate Import Tool in Cisco Unified Communications Manager IM and Presence Administration.

The Certificate Import tool simplifies the process of installing trust certificates on IM and Presence and is the primary method for certificate exchange. The tool allows you to specify the host and port of the Exchange server and attempts to download the certificate chain from the server. Once approved, the tool will automatically install missing certificates.

Note
This procedure describes one way to access and configure the Certificate Import Tool in Cisco Unified Communications Manager IM and Presence Administration. You can also view a customized version of the Certificate Import Tool when you configure the Exchange Presence Gateway for a specific type of calendaring integration (select Presence > Gateways).

Select System > Security > Certificate Import Tool in Cisco Unified Communications Manager IM and Presence Administration.

Select CUP Trust as the Certificate Trust Store where you want to install the certificates. This stores the Presence Engine trust certificates required for Exchange Integration.

Enter one of these values to connect with the Exchange server:
IP address

Host name

FQDN

The value that you enter in this Peer Server field must exactly match the IP address, host name or FQDN of the Exchange server.

Enter the port that is used to communicate with the Exchange server. This value must match the available port on the Exchange server.

Select Submit. After the tool finishes, it reports these states for each test:
Peer Server Reachability Status—indicates whether or not IM and Presence can reach (ping) the Exchange server. See Troubleshooting Exchange server connection status.

SSL Connection/Certificate Verification Status—indicates whether or not the Certificate Import Tool succeeded in downloading certificates from the specified peer server and whether or not a secure connection has been established between IM and Presence and the remote server. See Troubleshooting SSL connection/certificate status.

Step 2   If the Certificate Import Tool indicates that certificates are missing (typically the CA cert is missing on Microsoft servers), manually upload the CA certificate(s) using the Cisco Unified OS Admin Certificate Management window

Upload the certificate via:

Actions

Cisco Unified Operating System Administration

If the Exchange server does not provide the CA certificates during the SSL/TLS handshake, you cannot use the Certificate Import Tool to import those certificates. In this case, you must manually import the missing certificates using the Certificate Management tool in Cisco Unified OS Administration (select Security > Certificate Management).

Copy or FTP the certnew.cer certificate file to the computer that you use to administer your IM and Presence server.

From the Navigation menu on the Cisco Unified Communications Manager IM and Presence Administration login window, select Cisco Unified IM and Presence OS Administration and select Go.

Enter your username and password for Cisco Unified IM and Presence Operating System Administration and select Login.

Select Security > Certificate Management.

Select Upload Certificate in the Certificate List window.

Complete these actions when the Upload Certificate pop-up window displays:
Select cup-trust from the Certificate Name list box.

Enter the root certificate name without any extension.

Select Browse and select certnew.cer.

Select Upload File.

Step 3   Return to the Certificate Import Tool (Step 1) and verify that all status tests succeed.

Step 4   Restart the Cisco Presence Engine and SIP Proxy service after you upload all Exchange trust certificates. Select Cisco Unified IM and Presence Serviceability > Tools > Service Activation.
Troubleshooting Tips

IM and Presence allows you to upload Exchange server trust certificates with or without a Subject Common Name (CN).

If you use the Meeting Notification feature, you must restart the Presence Engine and SIP Proxy for all types of certificates. After you upload your certificates, go to Cisco Unified IM and Presence Serviceability and restart the Presence Engine first followed by the Proxy restart. Note that this can affect Calendaring connectivity.