Skip Navigation

Configure
Cisco Unified Communications Manager
and
Cisco
IM and Presence certificates with the enterprise certificate authority

Cisco Unified Communications Manager
(CUCM) and
Cisco
IM and Presence (CIMP) provide the ability to use multi-server certificates with Subject Alternative Names for tomcat, cup-xmpp, and cup-xmpp-ECDSA services. This topic describes certificate configuration using these recent feature enhancements. Multi-server certificates need only be configured on the CUCM and CIMP Publishers. Regardless of CIMP version, the cup service certificate is not multi-server and must be configured on each CIMP server in the cluster.
If your environment is not using multi-server certificates, you must use the
Cisco
Operating System Administration user interface on all of the CUCM and CIMP nodes to configure the Tomcat certificates. You must use the
Cisco
Operating System Administration interface on all of the CIMP nodes to configure the cup,  cup-xmpp, and cup-xmpp-ECDSA certificates. The
Cisco
Tomcat service runs on both CUCM and CIMP servers. The cup, cup-xmpp, and cup-xmpp-ECDSA services only run on the CIMP servers.
When you configure the
Presence
service to communicate with CUCM and CIMP, you can configure the
Cisco
certificates to be signed by the enterprise certificate authority. You require the following certificates and certificate signing requests (CSR) when you want to configure the
Presence
service to communicate with the
Cisco Unified Communications Manager
and
Cisco
IM and Presence:
Service
Certificates or CSRs
Configure the
Connect
service only
1
  • Enterprise Root CA certificate
  • Tomcat Certificate Signing Request (from CUCM)
  • Tomcat - CA signed certificate
  • Tomcat - ECDSA CA signed certificate 
  • Cup-xmpp Certificate Signing Request (from CIMP)
  • Cup-xmpp CA signed certificate
  • Cup-ECDSA CA signed certificate (from CIMP)
  • Cup-xmpp-ECDSA CA signed certificate (from CIMP)
Configure the
Presence
service only
1
  • Enterprise Root CA certificate
  • Tomcat Certificate Signing Request (from CUCM)
  • Tomcat - CA signed certificate
  • Tomcat - ECDSA CA signed certificate 
  • Cup Certificate Signing Request (from CIMP)
  • Cup - CA signed certificate
  • Cup-ECDSA CA signed certificate (from CIMP)
  • Cup-xmpp-ECDSA CA signed certificate (from CIMP)
1
If you configure both the
Connect
and
Presence
services, make sure that all of the required certificates or CSRs uploaded.
You must upload the root CA certificate as a trust certificate for the corresponding services or you will receive the error message
CA certificate is not available in the trust-store
. For example, if you want to use a CA-signed tomcat certificate, you must first upload the root CA certificate as a tomcat-trust certificate, if you want to use a CA-signed cup certificate, you must first upload the root CA certificate as a cup-trust certificate, and if you want to use a CA-signed cup-xmpp certificate, you must first upload the root CA certificate as a cup-xmpp-trust certificate.
  1. Complete steps 2 to 10 for all of the certificate pairs. For example, tomcat/tomcat-trust, cup/cup-trust, cup-xmpp/cup-xmpp-trust, and cup-xmpp-ECDSA/cup-xmpp-trust.
  2. Log in to the
    Cisco Unified OS Administration
    using your administrator credentials. Complete the following tasks on the CUCM Publisher and the IM and Presence Publisher. For the cup service certificate, complete the following tasks on all servers in the cluster.
  3. Click
    Security > Certificate Management
    .
  4. Upload the root enterprise CA certificate.
    The uploaded certificate is distributed to all of the servers in the cluster for the given service (for example, tomcat, cup, cup-xmpp, and cup-xmpp-ECDSA).
    1. Click
      Upload Certificate/Certificate chain
      .
    2. In the
      Certificate Purpose
      drop-down list, select the trust store (For example, tomcat-trust, cup-trust, or cup-xmpp-trust).
    3. Click
      Browse
      . Navigate to the enterprise root certificate downloaded earlier.
    4. Click
      Open
      .
    5. Click
      Upload
      .
    6. If the certificate upload is successful, click
      Close
      .
  5. Request a CSR.
    1. Click
      Generate CSR
      . The new CSR will overwrite the existing CSR for that certificate.
    2. In the
      Certificate Purpose
      drop-down list, click the service you want to generate the CSR for. For example, tomcat, cup, or cup-xmpp.
    3. In the
      Distribution
      drop-down list, select
      Multi-server (SAN)
      .
      Make sure that the list of auto-populated domains in the Subject Alternate Names section contain the FQDNs of the CUCM and CIMP servers that will be configured in
      BEMS
      .
    4. Click
      Close
      . A second copy of the <
      service
      > certificate appears in the certificate list as a CSR Only type.
    5. Click the CSR Only type version of the <
      service
      > certificate link.
    6. In the
      CSR Details for <
      Publisher_Hostname-ms.domain
      >,<
      service
      > certificate
      dialog box, click
      Download CSR
      .
    7. Save the
      <
      service
      >.csr
      file. Open the file in a text editor.
    8. Copy the certificate information, including the Begin and End Certificate request lines.
  6. Paste the new CSR certificate information to the
    Microsoft Active Directory
    Certificate Services server.
    1. On the
      Microsoft Active Directory Certificate Services
      server, click
      Request a certificate
      .
    2. Click
      Advanced certificate request
      .
    3. On the
      Submit a Certificate Request or Renewal request
      window, in the
      Saved Request
      field, paste the certificate information that you copied in step 5h.
    4. In the
      Certificate Template
      drop-down list, click
      Web Server
      .
    5. Click
      Submit
      .
    6. On the
      Certificate Issued
      window, select
      DER
      encoded. Click
      Download certificate
      .
    7. Click
      OK
      . By default, the certificate is saved to the Downloads folder.
  7. Upload the CA-signed certificate to
    Cisco
    Unified Operating System Administration web page to replace the CSR Only version of the appropriate service certificate with the CA-signed version.
    1. On the
      Cisco Unified Operating System Administration
      web page, click
      Upload Certificate/Certificate chain
      .
    2. Click
      OK
      .
    3. Click
      Close
      . The CSR version of the <
      service
      > certificate changes to CA-signed.
  8. Restart
    Cisco
    Services on all IM and Presence nodes.
    1. Log in to the
      Cisco Unified IM and Presence Serviceability
      server.
    2. Click
      Tools > Control Center - Network Services
      .
    3. In the
      Server
      drop-down list, select the IM and Presence server. Click
      Go
      .
    4. Under
      IM and Presence Services
      , select
      Cisco XCP Router
      .
    5. Click
      Restart
      . Click
      OK
      .
    6. Click
      Tools > Control Center - Feature Service
      .
    7. In the
      Server
      drop-down list, select the IM and Presence server. Click
      Go
      .
    8. Under
      IM and Presence Services
      , select
      Cisco SIP Proxy
      .
    9. Click
      Restart
      . Click
      OK
      .
    10. Repeat steps h and i for
      Cisco Presence Engine
      .
  9. Restart the
    Cisco Tomcat Service
    using SSH on all CUCM and CIMP nodes.
    In a command prompt, type
    utils service restart Cisco Tomcat
    .