Cisco Cisco Expressway
Server certificate requirements for Unified
Communications
Communications
Cisco Unified Communications Manager certificates
The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote
Access are the CallManager certificate and the tomcat certificate. These are automatically installed on the
Cisco Unified Communications Manager and by default they are self-signed and have the same common
name (CN).
Access are the CallManager certificate and the tomcat certificate. These are automatically installed on the
Cisco Unified Communications Manager and by default they are self-signed and have the same common
name (CN).
We recommend using externally-signed certificates for best end-to-end security between external endpoints
and internal endpoints. However, if you do use self-signed certificates, the two certificates must have
different common names. This is because the Expressway does not allow two self-signed certificates with
the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's
trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure
SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
and internal endpoints. However, if you do use self-signed certificates, the two certificates must have
different common names. This is because the Expressway does not allow two self-signed certificates with
the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's
trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure
SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
Expressway certificates
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject
alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on
that Expressway.
alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on
that Expressway.
The following table shows which CSR alternative name elements apply to which Unified Communications
features:
features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
ü
(Expressway-E only)
X
X
XMPP federation domains
X
X
ü
(Expressway-E only)
IM and Presence chat node aliases
(federated group chat)
(federated group chat)
X
X
ü
Unified CM phone security profile names
ü
(Expressway-C only)
X
X
Note:
n
A new Expressway-C certificate may need to be produced for the Expressway-C if chat node aliases are
added or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone
security profiles are added.
added or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone
security profiles are added.
n
A new Expressway-E certificate must be produced if new chat node aliases are added to the system, or if
the Unified CM or XMPP federation domains are modified.
the Unified CM or XMPP federation domains are modified.
n
You must restart the Expressway for any new uploaded server certificate to take effect.
More details about the individual feature requirements per Expressway-C / Expressway-E are described
below.
below.
Cisco Expressway Certificate Creation and Use Deployment Guide (X8.5.2)
Page 7 of 32
Server certificate requirements for Unified Communications