Configure Cisco Unified Communications
Manager and Cisco IM and Presence certificates with the enterprise certificate authority
Cisco Unified Communications
Manager
and Cisco
IM and Presence certificates with the enterprise certificate authorityCisco Unified Communications
Manager
(CUCM) and Cisco
IM and Presence (CIMP) version 10.5.1 and later provide the ability to use multi-server certificates with Subject Alternative Names for tomcat, cup-xmpp, and cup-xmpp-ECDSA services. This topic describes certificate configuration using these recent feature enhancements. Multi-server certificates need only be configured on the CUCM and CIMP Publishers. Regardless of CIMP version, the cup service certificate is not multi-server and must be configured on each CIMP server in the cluster.If your environment is running an older version of
Cisco Unified Communications
Manager
and Cisco
IM and Presence or you are not using multi-server certificates, you must use the Cisco
Operating System Administration user interface on all of the CUCM and CIMP nodes to configure the Tomcat certificates. You must use the Cisco
Operating System Administration interface on all of the CIMP nodes to configure the cup, cup-xmpp, and cup-xmpp-ECDSA certificates. The Cisco
Tomcat service runs on both CUCM and CIMP servers. The cup, cup-xmpp, and cup-xmpp-ECDSA services only run on the CIMP servers.When you configure the
Presence
service to communicate with Cisco Unified Communications
Manager
(CUCM) and Cisco IM and Presence (CIMP), you can configure the Cisco
certificates to be signed by the enterprise certificate authority. You require the following certificates and certificate signing requests (CSR) when you want to configure the Presence
service to communicate with the Cisco Unified Communications
Manager
and Cisco
IM and Presence:Service | Certificates or CSRs |
|---|---|
Configure the Connect service only1 |
|
Configure the Presence service only1 |
|
1
If you configure both the Connect
and Presence
services, make sure that all of the required certificates or CSRs uploaded. You must upload the root CA certificate as a trust certificate for the corresponding services or you will receive the error message
CA certificate is not available in the trust-store
. For example, if you want to use a CA-signed tomcat certificate, you must first upload the root CA certificate as a tomcat-trust certificate, if you want to use a CA-signed cup certificate, you must first upload the root CA certificate as a cup-trust certificate, and if you want to use a CA-signed cup-xmpp certificate, you must first upload the root CA certificate as a cup-xmpp-trust certificate.- Complete steps 2 to 10 for all of the certificate pairs. For example, tomcat/tomcat-trust, cup/cup-trust, cup-xmpp/cup-xmpp-trust, and cup-xmpp-ECDSA/cup-xmpp-trust.
- Log in to theCisco Unified OS Administrationusing your administrator credentials. If your environment is running CUCM and CIMP 10.5.1 or later, complete the following tasks on the CUCM Publisher and the IM and Presence Publisher. If your environment is running CUCM and IM and Presence version earlier than 10.5.1, or for the cup service certificate, complete the following tasks on all servers in the cluster.
- ClickSecurity > Certificate Management.
- Upload the root enterprise CA certificate.The uploaded certificate is distributed to all of the servers in the cluster for the given service (for example, tomcat, cup, cup-xmpp, and cup-xmpp-ECDSA).
- ClickUpload Certificate/Certificate chain.
- In theCertificate Purposedrop-down list, select the trust store (For example, tomcat-trust, cup-trust, or cup-xmpp-trust).
- ClickBrowse. Navigate to the enterprise root certificate downloaded earlier.
- ClickOpen.
- ClickUpload.
- If the certificate upload is successful, clickClose.
- Request a CSR.
- ClickGenerate CSR. The new CSR will overwrite the existing CSR for that certifcate.
- In theCertificate Purposedrop-down list, click the service you want to generate the CSR for. For example, tomcat, cup, or cup-xmpp.
- In theDistributiondrop-down list, selectMulti-server (SAN).Make sure that the list of auto-populated domains in the Subject Alternate Names section contain the FQDNs of the CUCM and CIMP servers that will be configured inBEMS.
- ClickClose. A second copy of the <service> certificate appears in the certificate list as a CSR Only type.
- Click the CSR Only type version of the <service> certificate link.
- In theCSR Details for <dialog box, clickPublisher_Hostname-ms.domain>,<service> certificateDownload CSR.
- Save the<file. Open the file in a text editor.service>.csr
- Copy the certificate information, including the Begin and End Certifciate request lines.
- Paste the new CSR certificate information to theMicrosoft Active DirectoryCertificate Services server.
- On theMicrosoft Active Directory Certificate Servicesserver, clickRequest a certificate.
- ClickAdvanced certificate request.
- On theSubmit a Certificate Request or Renewal requestwindow, in theSaved Requestfield, paste the certificate information that you copied in step 6h.
- In theCertificate Templatedrop-down list, clickWeb Server.
- ClickSubmit.
- On theCertificate Issuedwindow, selectDERencoded. ClickDownload certificate.
- ClickOK. By default, the certificate is saved to the Downloads folder.
- Upload the CA-signed certificate toCiscoUnified Operating System Administration web page to replace the CSR Only version of the appropriate service certificate with the CA-signed version.
- On theCisco Unified Operating System Administrationweb page, clickUpload Certificate/Certificate chain.
- ClickOK.
- ClickClose. The CSR version of the <service> certificate changes to CA-signed.
- RestartCiscoServices on all IM and Presence nodes.
- Log in to theCisco Unified IM and Presence Serviceabilityserver.
- ClickTools > Control Center - Network Services.
- In theServerdrop-down list, select the IM and Presence server. ClickGo.
- UnderIM and Presence Services, selectCisco XCP Router.
- ClickRestart. ClickOK.
- ClickTools > Control Center - Feature Service.
- In theServerdrop-down list, select the IM and Presence server. ClickGo.
- UnderIM and Presence Services, selectCisco SIP Proxy.
- ClickRestart. ClickOK.
- Repeat steps h and i forCisco Presence Engine.
- Restart theCisco Tomcat Serviceusing SSH on all CUCM and CIMP nodes.In a command prompt, typeutils service restart Cisco Tomcat.