Cisco Cisco TelePresence MCU 4510 Administrator's Guide
Deleting a trust store
1. Go to
Network > SSL certificates
.
2. Go to the appropriate trust store configuration section (either the
SIP trust store
or
HTTPS trust store
).
3. Click Delete trust store.
4. Confirm that you wish to proceed.
The trust store is deleted.
Configuring SIP TLS verification
You can configure the MCU to secure incoming and outgoing SIP calls using TLS. The MCU uses its SIP
trust store to verify the certificate presented by the remote end of a SIP TLS connection.
trust store to verify the certificate presented by the remote end of a SIP TLS connection.
1. Go to
Network > SSL certificates
.
2. Go to the
SIP trust store
section.
3. Select one of the options from the Verification settings field.
4. Click Apply changes.
SIP verification options
No verification
All outgoing connections are permitted, even if the remote end does not present a valid and
trusted certificate (remote end always trusted).
trusted certificate (remote end always trusted).
Outgoing calls
only
only
Outgoing SIP TLS connections are only permitted if the remote end has a trusted certificate.
Outgoing and
incoming calls
incoming calls
Outgoing and incoming SIP TLS connections are only permitted if the remote end has a
trusted certificate.
trusted certificate.
Certificate identity requirements for SIP TLS
For an outgoing SIP TLS call, when inspecting the received certificate as part of the SIP TLS handshake, the
MCU looks for either an IP address or a domain identifier for the remote party in the URI and DNS fields of the
certificate's subject alternative name (subjectAltName) extension. If the subjectAltName is not
present, the MCU looks for either an IP address or a domain identifier in the certificate's Common Name (CN)
field.
MCU looks for either an IP address or a domain identifier for the remote party in the URI and DNS fields of the
certificate's subject alternative name (subjectAltName) extension. If the subjectAltName is not
present, the MCU looks for either an IP address or a domain identifier in the certificate's Common Name (CN)
field.
For an incoming SIP TLS call, the received certificate should be trusted by MCU's SIP Trust store.
You should ensure that the certificates presented by your SIP entities to the MCU contain both the SIP URI
and the IP address of the entity.
and the IP address of the entity.
The remote party must similarly be able to verify the MCU's local certificate against its trust store, so the
local certificate must also be generated according to the guidelines above.
local certificate must also be generated according to the guidelines above.
Note: If you require TLS on non-proxied SIP calls from the MCU, the MCU's local certificate must identify
the MCU by its IP address. This requirement arises because the remote endpoint will be establishing TLS
connections directly to the MCU, which provides its IP address as its identity.
the MCU by its IP address. This requirement arises because the remote endpoint will be establishing TLS
connections directly to the MCU, which provides its IP address as its identity.
Cisco TelePresence MCU Series Administrator Guide
Page 255 of 300
Advanced topics
Configuring SSL certificates