Cisco Cisco TelePresence Video Communication Server Expressway
Introduction
This deployment guide provides instructions on how to create X.509 cryptographic certificates for use with the Cisco
TelePresence Video Communication Server (VCS), and how to load them into VCS.
TelePresence Video Communication Server (VCS), and how to load them into VCS.
PKI introduction
Public Key Infrastructure (PKI) provides the mechanisms through which communications can be secured (encrypted and
integrity protected) and identities can be verified. Underlying PKI is:
integrity protected) and identities can be verified. Underlying PKI is:
■
A public/private key pair: a public key is used to encrypt data sent to a server, but only the private key (kept secret
by the server) can be used to decrypt it.
by the server) can be used to decrypt it.
■
Signatures of data: data can be “signed” by a server, by using a combination of a cryptographic hash of the data
and the server’s private key. A client can verify the signature by using the server’s public key and verifying the
same hash. This ensures the data has been sent from the expected server, and has not been tampered with.
and the server’s private key. A client can verify the signature by using the server’s public key and verifying the
same hash. This ensures the data has been sent from the expected server, and has not been tampered with.
■
Certificates: a certificate is a wrapper around a public key, and provides information about the owner of the key.
This metadata is provided in X.509 format, and typically includes the server name and contact details for the
owner.
This metadata is provided in X.509 format, and typically includes the server name and contact details for the
owner.
■
A certificate chain: a certificate can be signed by a Certificate Authority (CA) using its own private key. In turn,
therefore, a certificate can be verified as being signed by a CA by checking the signature against the CA’s
certificate (public key). Web browsers and other clients have a list of CA certificates that they trust, and can thus
verify the certificates of individual servers.
therefore, a certificate can be verified as being signed by a CA by checking the signature against the CA’s
certificate (public key). Web browsers and other clients have a list of CA certificates that they trust, and can thus
verify the certificates of individual servers.
Transport Layer Security (TLS) is the standard mechanism for securing a TCP connection between hosts on a TCP/IP
network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish a TLS connection:
network. For example, secure HTTP (HTTPS) uses TLS to encrypt and verify traffic. To establish a TLS connection:
1.
An initial TCP connection is made, and the client sends its capabilities (including cipher suites) and a random
number.
number.
2.
The sever responds with its choice of those capabilities, another random number, and its certificate.
3.
The client verifies that the server certificate was issued (signed) by a CA that it trusts, and has not been revoked.
4.
The client sends a “pre-master secret”, encrypted with the server’s public key.
5.
This pre-master secret, combined with the exchanged random numbers (to prevent replay attacks), is used to
generate a “master secret”, with which the remaining communications of this TLS session are encrypted between
the client and server.
generate a “master secret”, with which the remaining communications of this TLS session are encrypted between
the client and server.
The following sections describe how these PKI components can be used with the VCS.
Overview of certificate use on the VCS
VCS needs certificates for:
■
Secure HTTP with TLS (HTTPS) connectivity
■
TLS connectivity for SIP signaling, endpoints and neighbor zones
■
Connections to other systems such as Unified CM, Cisco TMS, LDAP servers and syslog servers
It uses its list of trusted Certificate Authority (CA) certificates and associated certificate revocation lists (CRLs) to validate
other devices connecting to it.
other devices connecting to it.
It uses the Server Certificate and the Private key to provide a signed certificate to provide evidence that the VCS is the
device it says it is. This can be used with neighboring devices such as Microsoft Lync or Unified CM, as well as
administrators using the web interface.
device it says it is. This can be used with neighboring devices such as Microsoft Lync or Unified CM, as well as
administrators using the web interface.
A certificate identifies the VCS. It contains names by which it is known and to which traffic is routed. If the VCS is known
by multiple names for these purposes, such as if it is part of a cluster, this must be represented in the X.509 subject data,
according to the guidance of RFC5922. The certificate must contain the FQDN of both the VCS itself and of the cluster. If
by multiple names for these purposes, such as if it is part of a cluster, this must be represented in the X.509 subject data,
according to the guidance of RFC5922. The certificate must contain the FQDN of both the VCS itself and of the cluster. If
3
Cisco VCS Certificate Creation and Use Deployment Guide