Cisco Cisco TelePresence Video Communication Server Expressway
Server certificate requirements for Unified
Communications
Communications
The VCS certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate
name (SAN) entries as appropriate for the Unified Communications features that are supported on that VCS.
name (SAN) entries as appropriate for the Unified Communications features that are supported on that VCS.
The following table shows which CSR alternative name elements apply to which Unified Communications
features:
features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
ü
(VCS Expressway only)
X
X
XMPP federation domains
X
X
ü
(VCS Expressway only)
IM and Presence chat node aliases
(federated group chat)
(federated group chat)
X
X
ü
Unified CM phone security profile names
ü
(VCS Control only)
X
X
Note that:
n
A new VCS Control certificate may need to be produced for the VCS Control if chat node aliases are added
or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security
profiles are added.
or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security
profiles are added.
n
A new VCS Expressway certificate must be produced if new chat node aliases are added to the system, or
if the Unified CM or XMPP federation domains are modified.
if the Unified CM or XMPP federation domains are modified.
n
You must restart the VCS for any new uploaded server certificate to take effect.
More details about the individual feature requirements per VCS Control / VCS Expressway are described
below.
below.
VCS Control server certificate requirements
The VCS Control server certificate needs to include the following elements in its list of subject alternate
names:
names:
n
Unified CM phone security profile names: the names, in FQDN format, of all of the Phone Security
Profiles in Unified CM that are configured for encrypted TLS and are used for devices requiring remote
access. This ensures that Unified CM can communicate with VCS Control via a TLS connection when it
is forwarding messages from devices that are configured with those security profiles.
Profiles in Unified CM that are configured for encrypted TLS and are used for devices requiring remote
access. This ensures that Unified CM can communicate with VCS Control via a TLS connection when it
is forwarding messages from devices that are configured with those security profiles.
n
IM and Presence chat node aliases (federated group chat): the Chat Node Aliases (e.g.
chatroom1.example.com) that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to support group chat over TLS with
federated contacts.
The VCS Control automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
We recommend that you use DNS format for the chat node aliases when generating the CSR. You must
include the same chat node aliases in the VCS Expressway server certificate's alternative names.
chatroom1.example.com) that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to support group chat over TLS with
federated contacts.
The VCS Control automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
We recommend that you use DNS format for the chat node aliases when generating the CSR. You must
include the same chat node aliases in the VCS Expressway server certificate's alternative names.
Cisco TelePresence VCS Certificate Creation and Use Deployment Guide (X8.2)
Page 7 of 29
Server certificate requirements for Unified Communications