Cisco Cisco Expressway
Expressway trusted CA certificate
The
Trusted CA certificate
page (
Maintenance > Security certificates > Trusted CA certificate
) allows
you to manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway. When
a TLS connection to Expressway mandates certificate verification, the certificate presented to the
Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate
CAs) to the root CA.
a TLS connection to Expressway mandates certificate verification, the certificate presented to the
Expressway must be signed by a trusted CA in this list and there must be a full chain of trust (intermediate
CAs) to the root CA.
The root CA of the Unified CM server certificate must be loaded into the Expressway's trusted CA certificate
list.
list.
To upload a new file containing one or more CA certificates, Browse to the required PEM file and click
Append CA certificate. This will append any new certificates to the existing list of CA certificates. If you
are replacing existing certificates for a particular issuer and subject, you have to manually delete the previous
certificates.
Append CA certificate. This will append any new certificates to the existing list of CA certificates. If you
are replacing existing certificates for a particular issuer and subject, you have to manually delete the previous
certificates.
Repeat this process on every Expressway that will communicate with this Unified CM.
Loading server and trust certificates on Unified CM
Certificate management for Unified CM is performed in the
Cisco Unified OS Administration
application.
All existing certificates are listed under
Security > Certificate Management
. Server certificates are of type
certs and trusted CA certificates are of type trust-certs.
Unified CM server certificate
By default, Unified CM has a self-signed server certificate CallManager.pem installed. We recommend that
this is replaced with a certificate generated from a trusted certificate authority.
this is replaced with a certificate generated from a trusted certificate authority.
Unified CM trusted CA certificate
To load the root CA certificate of the authority that issued the Expressway certificate (if it is not already
loaded):
loaded):
1. Click Upload Certificate/Certificate chain.
2. Select a Certificate Name of CallManager-trust.
3. Click Browse and select the file containing the root CA certificate of the authority that issued the
Expressway certificate.
4. Click Upload File.
Repeat this process on every Unified CM server that will communicate with Expressway. Typically this is
every node that is running the CallManager service.
every node that is running the CallManager service.
Setting the Cluster Security Mode to Mixed Mode
The Cisco Unified Communications Manager cluster must be in Mixed Mode to allow the registration of both
secure devices and non-secure devices. This allows for best effort encryption between the Expressway and
the Cisco Unified Communications Manager. Read
secure devices and non-secure devices. This allows for best effort encryption between the Expressway and
the Cisco Unified Communications Manager. Read
background on best effort encryption between Expressway and Unified CM.
As of version 10.0, you can use the CLI to change the cluster security mode. On earlier versions, you must
use the Cisco CTL Client plugin to change the cluster security mode. The security mode change updates the
CTL file, so you must restart the Cisco CallManager and Cisco Tftp services after the change.
use the Cisco CTL Client plugin to change the cluster security mode. The security mode change updates the
CTL file, so you must restart the Cisco CallManager and Cisco Tftp services after the change.
Cisco Unified Communications Manager with Cisco Expressway (SIP Trunk) Deployment Guide (X8.5.2)
Page 27 of 42
Connecting Expressway to Unified CM using TLS