Cisco Cisco TelePresence Video Communication Server Expressway
Server Certificate Requirements for Unified Communications
Cisco Unified Communications Manager Certificates
The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote Access are
the CallManager certificate and the tomcat certificate. These are automatically installed on the Cisco Unified
Communications Manager and by default they are self-signed and have the same common name (CN).
the CallManager certificate and the tomcat certificate. These are automatically installed on the Cisco Unified
Communications Manager and by default they are self-signed and have the same common name (CN).
We recommend using CA-signed certificates for best end-to-end security between external endpoints and internal
endpoints. However, if you do use self-signed certificates, the two certificates must have different common names.
This is because the VCS does not allow two self-signed certificates with the same CN. If the CallManager and tomcat
self-signed certs have the same CN in the VCS's trusted CA list, then it can only trust one of them. This means that
either secure HTTP or secure SIP, between VCS Control and Cisco Unified Communications Manager, will fail.
endpoints. However, if you do use self-signed certificates, the two certificates must have different common names.
This is because the VCS does not allow two self-signed certificates with the same CN. If the CallManager and tomcat
self-signed certs have the same CN in the VCS's trusted CA list, then it can only trust one of them. This means that
either secure HTTP or secure SIP, between VCS Control and Cisco Unified Communications Manager, will fail.
Also, when generating tomcat certificate signing requests for any products within the Cisco Collaboration Systems
Release 10.5.2, you need to be aware of
Release 10.5.2, you need to be aware of
. You need to work around this issue to ensure that the
FQDNs of the nodes are in the certificates as Subject Alternative Names. The VCS X8.5.2 Release Notes have the
details of the workarounds.
details of the workarounds.
VCS Certificates
The VCS certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name
(SAN) entries as appropriate for the Unified Communications features that are supported on that VCS.
(SAN) entries as appropriate for the Unified Communications features that are supported on that VCS.
The following table shows which CSR alternative name elements apply to which Unified Communications features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
ü
(VCS Expressway only)
X
X
XMPP federation domains
X
X
ü
(VCS Expressway only)
IM and Presence chat node aliases
(federated group chat)
(federated group chat)
X
X
ü
Unified CM phone security profile names
ü
(VCS Control only)
X
X
Note:
■
A new VCS Control certificate may need to be produced for the VCS Control if chat node aliases are added or
renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security profiles
are added.
renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security profiles
are added.
■
A new VCS Expressway certificate must be produced if new chat node aliases are added to the system, or if
the Unified CM or XMPP federation domains are modified.
the Unified CM or XMPP federation domains are modified.
■
You must restart the VCS for any new uploaded server certificate to take effect.
More details about the individual feature requirements per VCS Control / VCS Expressway are described below.
VCS Control server certificate requirements
The VCS Control server certificate needs to include the following elements in its list of subject alternate names:
■
Unified CM phone security profile names: the names of the Phone Security Profiles in Unified CM that are
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
6
Cisco VCS Certificate Creation and Use Deployment Guide