Cisco Cisco Expressway
Connecting Expressway to Unified CM using TLS
These instructions explain how to take a system that is already configured and working using a TCP
interconnection between Expressway and Unified CM, and to convert that connection to use TLS instead.
This process involves:
interconnection between Expressway and Unified CM, and to convert that connection to use TLS instead.
This process involves:
n
Ensuring certificate trust between Unified CM and Expressway
n
Setting the Cluster Security Mode of the Unified CM to 1 (Mixed Mode)
n
Configuring a SIP trunk security profile on Unified CM
n
Updating the Unified CM trunk to Expressway to use TLS
n
Updating the Expressway neighbor zone to Unified CM to use TLS
Ensuring certificate trust between Unified CM and
Expressway
Expressway
For Unified CM and Expressway to establish a TLS connection with each other:
n
Expressway and Unified CM must both have valid server certificates loaded (you must replace the
Expressway's default server certificate with a valid server certificate)
Expressway's default server certificate with a valid server certificate)
n
Expressway must trust Unified CM’s server certificate (the root CA of the Unified CM server certificate
must be loaded onto Expressway)
must be loaded onto Expressway)
n
Unified CM must trust Expressway’s server certificate (the root CA of the Expressway server certificate
must be loaded onto Unified CM)
must be loaded onto Unified CM)
for full details about loading certificates
and how to generate CSRs on Expressway to acquire certificates from a Certificate Authority (CA).
Note: In a clustered environment, you must install CA and server certificates on each peer/node individually.
We strongly recommend that you do not use self-signed certificates in a production environment.
Loading server and trust certificates on Expressway
Expressway server certificate
Expressway has only one server certificate. By default, this is a certificate signed by a temporary certificate
authority. We recommend that it is replaced by a certificate generated by a trusted certificate authority.
authority. We recommend that it is replaced by a certificate generated by a trusted certificate authority.
To upload a server certificate:
1. Go to
Maintenance > Security certificates > Server certificate
.
2. Use the Browse button in the
Upload new certificate
section to select and upload the server certificate
PEM file.
3. If you used an external system to generate the Certificate Signing Request (CSR) you must also upload
the server private key PEM file that was used to encrypt the server certificate. (The private key file will
have been automatically generated and stored earlier if the Expressway was used to produce the CSR for
this server certificate.)
have been automatically generated and stored earlier if the Expressway was used to produce the CSR for
this server certificate.)
l
The server private key PEM file must not be password protected.
l
You cannot upload a server private key if a certificate signing request is in progress.
4. Click Upload server certificate data.
Cisco Unified Communications Manager with Cisco Expressway (SIP Trunk) Deployment Guide (X8.2)
Page 24 of 40
Connecting Expressway to Unified CM using TLS