Cisco Cisco Meeting Server 2000
Cisco Meeting Server Release 2.0 : Certificate Guidelines for Single Combined Deployments
9
Note: This process is called "certificate chaining” and intermediate CA certificates are
sometimes called "chained certificates".
sometimes called "chained certificates".
1.2.4 Certificate bundles
A certificate bundle is a single file (with an extension of .pem, .cer or.crt) holding a copy of the
Root CA’s certificate and all intermediate certificates in the chain. The certificates need to be in
sequence with the certificate of the Root CA being last in the certificate bundle. External clients
(for example web browsers and XMPP clients) require the certificate and certificate bundle to
be presented by the Web Bridge and XMPP server respectively, when setting up a secure
connection. If Call Bridge establishes a TLS trunk to a SIP peer, then Call Bridge will need to
presents its certificate and certificate bundle to the SIP endpoint.
Root CA’s certificate and all intermediate certificates in the chain. The certificates need to be in
sequence with the certificate of the Root CA being last in the certificate bundle. External clients
(for example web browsers and XMPP clients) require the certificate and certificate bundle to
be presented by the Web Bridge and XMPP server respectively, when setting up a secure
connection. If Call Bridge establishes a TLS trunk to a SIP peer, then Call Bridge will need to
presents its certificate and certificate bundle to the SIP endpoint.
You can create a certificate bundle by using a plain text editor such as notepad. All of the
characters including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
tags need to be inserted into the document. There should be no space between the certificates,
for example no spaces or extra lines between -----END CERTIFICATE----- of certificate 1
and -----BEGIN CERTIFICATE----- of certificate 2. At the end of the file there should be 1
extra line. Save the file with an extension of .pem, .cer, or .crt.
characters including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
tags need to be inserted into the document. There should be no space between the certificates,
for example no spaces or extra lines between -----END CERTIFICATE----- of certificate 1
and -----BEGIN CERTIFICATE----- of certificate 2. At the end of the file there should be 1
extra line. Save the file with an extension of .pem, .cer, or .crt.
1.2.5 Trust stores
Web browsers and other clients hold a list of signing authorities that they trust and therefore, by
a “chain of trust”, the servers they can trust. These trusted CAs are held in a ‘trust store’ on the
client. When the trusted CA issues a revocation list, the client updates its trust store removing
the entities in the revocation list from the store.
a “chain of trust”, the servers they can trust. These trusted CAs are held in a ‘trust store’ on the
client. When the trusted CA issues a revocation list, the client updates its trust store removing
the entities in the revocation list from the store.
For a connecting client (or device) to trust a certificate, the client will check whether the CA of
the certificate is held in the client’s trust store. If the certificate was not issued by a trusted CA,
the connecting client will then check to see if the certificate of the issuing CA was issued by a
trusted CA, this will be repeated up the chain until either a trusted CA is found or no trusted CA
can be found. If a trusted CA is found, a secure connection will be established between the
client and the server. If a trusted CA cannot be found, then the connecting client will usually
display an error message.
the certificate is held in the client’s trust store. If the certificate was not issued by a trusted CA,
the connecting client will then check to see if the certificate of the issuing CA was issued by a
trusted CA, this will be repeated up the chain until either a trusted CA is found or no trusted CA
can be found. If a trusted CA is found, a secure connection will be established between the
client and the server. If a trusted CA cannot be found, then the connecting client will usually
display an error message.
1 Introduction