Cisco Cisco Expressway
Connecting Expressway to Unified CM using TLS
These instructions explain how to take a system that is already configured and working using a TCP
interconnection between Expressway and Unified CM, and to convert that connection to use TLS instead.
This process involves:
interconnection between Expressway and Unified CM, and to convert that connection to use TLS instead.
This process involves:
n
Ensuring certificate trust between Unified CM and Expressway
n
Configuring a SIP trunk security profile on Unified CM
n
Updating the Unified CM trunk to Expressway to use TLS
n
Updating the Expressway neighbor zone to Unified CM to use TLS
Ensuring certificate trust between Unified CM and
Expressway
Expressway
For Unified CM and Expressway to establish a TLS connection with each other:
n
Expressway and Unified CM must both have valid server certificates loaded (you must replace the
Expressway's default server certificate with a valid server certificate)
Expressway's default server certificate with a valid server certificate)
n
Unified CM must trust Expressway’s server certificate (the root CA of the Expressway server certificate
must be loaded onto Unified CM)
must be loaded onto Unified CM)
n
Expressway must trust Unified CM’s server certificate (the root CA of the Unified CM server certificate
must be loaded onto Expressway)
must be loaded onto Expressway)
for full details about loading certificates
and how to generate CSRs on Expressway to acquire certificates from a Certificate Authority (CA).
Note that in a clustered environment, you must install CA and server certificates on each peer/node
individually.
individually.
We strongly recommend that you do not use self-signed certificates in a production environment.
Loading server and trust certificates on Unified CM
Certificate management is performed in the
Cisco Unified OS Administration
application.
All existing certificates are listed under
Security > Certificate Management
. Server certificates are of type
certs and trusted CA certificates are of type trust-certs.
Unified CM server certificate
By default, Unified CM has a self-signed server certificate CallManager.pem installed . We recommend that
this is replaced with a certificate generated from a trusted certificate authority.
this is replaced with a certificate generated from a trusted certificate authority.
Unified CM trusted CA certificate
To load the root CA certificate of the authority that issued the Expressway certificate (if it is not already
loaded):
loaded):
1. Click Upload Certificate/Certificate chain.
2. Select a Certificate Name of CallManager-trust.
3. Click Browse and select the file containing the root CA certificate of the authority that issued the
Microsoft Lync and Cisco Expressway Deployment Guide (X8.1)
Page 43 of 63
Connecting Expressway to Unified CM using TLS