Cisco Cisco Expressway
Expressway certificate.
4. Click Upload File.
Repeat this process on every Unified CM server that will communicate with Expressway. Typically this is
every node that is running the CallManager service.
every node that is running the CallManager service.
Loading server and trust certificates on Expressway
Expressway server certificate
Expressway has only one server certificate. By default, this is a self-signed certificate. We recommend that
it is replaced by a certificate generated by a trusted certificate authority.
it is replaced by a certificate generated by a trusted certificate authority.
To upload a server certificate:
1. Go to
Maintenance > Security certificates > Server certificate
.
2. Use the Browse button in the
Upload new certificate
section to select and upload the server certificate
PEM file.
3. If you used an external system to generate the certificate request you must also upload the server private
key PEM file that was used to encrypt the server certificate. (The private key file will have been
automatically generated and stored earlier if the Expressway was used to produce the signing request for
this server certificate.)
automatically generated and stored earlier if the Expressway was used to produce the signing request for
this server certificate.)
l
The server private key must not be password protected.
l
You cannot upload a server private key if a certificate signing request is in progress.
4. Click Upload server certificate data.
Expressway trusted CA certificate
The
Trusted CA certificate
page (
Maintenance > Security certificates > Trusted CA certificate
) allows
you to manage the list of certificates for the Certificate Authorities (CAs) trusted by this Expressway.
Certificates presented to the Expressway must be signed by a trusted CA on this list and there must be a full
chain of trust (intermediate CAs) to the root CA.
Certificates presented to the Expressway must be signed by a trusted CA on this list and there must be a full
chain of trust (intermediate CAs) to the root CA.
The root CA of the Unified CM server certificate must be loaded into the Expressway's trusted CA certificate
list.
list.
To upload a new file of CA certificates, Browse to the required PEM file and click Append CA certificate.
This will append any new certificates to the existing list of CA certificates. Note that if you are replacing
existing certificates for a particular issuer and subject, you have to manually delete the previous certificates.
This will append any new certificates to the existing list of CA certificates. Note that if you are replacing
existing certificates for a particular issuer and subject, you have to manually delete the previous certificates.
Repeat this process on every Expressway that will communicate with Unified CM.
Configuring a SIP trunk security profile on Unified CM
On Unified CM:
1. Select
Cisco Unified CM Administration
, click Go and log in.
2. Go to
System > Security > SIP Trunk Security Profile
.
3. Click Add New.
4. Configure the fields as follows:
Microsoft Lync and Cisco Expressway Deployment Guide (X8.1)
Page 44 of 63
Connecting Expressway to Unified CM using TLS