Cisco Cisco TelePresence Video Communication Server Expressway
VCS Trusted CA Certificate
The Trusted CA certificate page (Maintenance > Security certificates > Trusted CA certificate) allows you to
manage the list of certificates for the Certificate Authorities (CAs) trusted by this VCS. When a TLS connection to
VCS mandates certificate verification, the certificate presented to the VCS must be signed by a trusted CA in this list
and there must be a full chain of trust (intermediate CAs) to the root CA.
manage the list of certificates for the Certificate Authorities (CAs) trusted by this VCS. When a TLS connection to
VCS mandates certificate verification, the certificate presented to the VCS must be signed by a trusted CA in this list
and there must be a full chain of trust (intermediate CAs) to the root CA.
The root CA of the Unified CM server certificate must be loaded into the VCS's trusted CA certificate list.
To upload a new file containing one or more CA certificates, Browse to the required PEM file and click Append CA
certificate. This will append any new certificates to the existing list of CA certificates. If you are replacing existing
certificates for a particular issuer and subject, you have to manually delete the previous certificates.
certificate. This will append any new certificates to the existing list of CA certificates. If you are replacing existing
certificates for a particular issuer and subject, you have to manually delete the previous certificates.
Repeat this process on every VCS that will communicate with this Unified CM.
Loading Server and Trust Certificates on Unified CM
Certificate management for Unified CM is performed in the Cisco Unified OS Administration application.
All existing certificates are listed under Security > Certificate Management. Server certificates are of type certs and
trusted CA certificates are of type trust-certs.
trusted CA certificates are of type trust-certs.
Unified CM Server Certificate
By default, Unified CM has a self-signed server certificate CallManager.pem installed. We recommend that this is
replaced with a certificate generated from a trusted certificate authority.
replaced with a certificate generated from a trusted certificate authority.
Unified CM Trusted CA Certificate
To load the root CA certificate of the authority that issued the VCS certificate (if it is not already loaded):
1.
Click Upload Certificate/Certificate chain.
2.
Select a Certificate Name of CallManager-trust.
3.
Click Browse and select the file containing the root CA certificate of the authority that issued the VCS
certificate.
certificate.
4.
Click Upload File.
Repeat this process on every Unified CM server that will communicate with VCS. Typically this is every node that is
running the CallManager service.
running the CallManager service.
Setting the Cluster Security Mode to Mixed Mode
The Cisco Unified Communications Manager cluster must be in Mixed Mode to allow the registration of both secure
devices and non-secure devices. This allows for best effort encryption between the VCS and the Cisco Unified
Communications Manager. Read
devices and non-secure devices. This allows for best effort encryption between the VCS and the Cisco Unified
Communications Manager. Read
for
background on best effort encryption between VCS and Unified CM.
As of version 10.0, you can use the CLI to change the cluster security mode. On earlier versions, you must use the
Cisco CTL Client plugin to change the cluster security mode. The security mode change updates the CTL file, so you
must restart the Cisco CallManager and Cisco Tftp services after the change.
Cisco CTL Client plugin to change the cluster security mode. The security mode change updates the CTL file, so you
must restart the Cisco CallManager and Cisco Tftp services after the change.
The process is summarized below, but you should refer to the Cisco Unified Communications Manager Security Guide
for your version, which you can find on the
for your version, which you can find on the
1.
Obtain access to the Unified CM publisher node, including hardware security tokens (if using the CTL Client
plugin).
plugin).
2.
(Pre 10.0) Download and install the Cisco CTL Client plugin from Unified CM.
26
Cisco VCS SIP Trunk to Unified CM Deployment Guide