Certificates Overview
Your system uses self-signed- and third-party-signed certificates. Certificates are used between devices in your system to securely authenticate devices, encrypt data, and hash the data to ensure its integrity from source to destination. Certificates allow for secure transfer of bandwidth, communication, and operations.
The most important part of certificates is that you know and define how your data is encrypted and shared with entities such as the intended website, phone, or FTP server.
When your system trusts a certificate, this means that there is a preinstalled certificate on your system which states it is fully confident that it shares information with the correct destination. Otherwise, it terminates the communication between these points.
In order to trust a certificate, trust must already be established with a third-party certificate authority (CA).
Your devices must know that they can trust both the CA and intermediate certificates first, before they can trust the server certificate presented by the exchange of messages called the secure sockets layer (SSL) handshake.
Note |
EC-based certificates for Tomcat are supported. This new certificate is called tomcat-ECDSA. For further information, see the Enhanced TLS Encryption on IM and Presence Service section of the Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager. EC Ciphers on the Tomcat interface are disabled by default. You can enable them using the HTTPS Ciphers enterprise parameter on Cisco Unified Communications Manager or on IM and Presence Service. If you change this parameter the Cisco Tomcat service must be restarted on all nodes. For further information on EC-based certificates see, ECDSA Support for Common Criteria for Certified Solutions in the Release Notes for Cisco Unified Communications Manager and IM and Presence Service. |
Third-Party Signed Certificate or Certificate Chain
Upload the certificate authority root certificate of the certificate authority that signed an application certificate. If a subordinate certificate authority signs an application certificate, you must upload the certificate authority root certificate of the subordinate certificate authority. You can also upload the PKCS#7 format certificate chain of all certificate authority certificates.
You can upload certificate authority root certificates and application certificates by using the same Upload Certificate dialog box. When you upload a certificate authority root certificate or certificate chain that contains only certificate authority certificates, choose the certificate name with the format certificate type-trust. When you upload an application certificate or certificate chain that contains an application certificate and certificate authority certificates, choose the certificate name that includes only the certificate type.
For example, choose tomcat-trust when you upload a Tomcat certificate authority certificate or certificate authority certificate chain; choose tomcat or tomcat-ECDSA when you upload a Tomcat application certificate or certificate chain that contains an application certificate and certificate authority certificates.
When you upload a CAPF certificate authority root certificate, it is copied to the CallManager-trust store, so you do not need to upload the certificate authority root certificate for CallManager separately.
Note |
Successful upload of third-party certificate authority signed certificate deletes a recently generated CSR that was used to obtain a signed certificate and overwrites the existing certificate, including a third-party signed certificate if one was uploaded. |
Note |
The system automatically replicates tomcat-trust, CallManager-trust and Phone-SAST-trust certificates to each node in the cluster. |
Note |
You can upload a directory trust certificate to tomcat-trust, which is required for the DirSync service to work in secure mode. |
Third-Party Certificate Authority Certificates
To use an application certificate that a third-party certificate authority issues, you must obtain both the signed application certificate and the certificate authority root certificate from the certificate authority or PKCS#7 certificate chain (distinguished encoding rules [DER]), which contains both the application certificate and certificate authority certificates. Retrieve information about obtaining these certificates from your certificate authority. The process varies among certificate authorities. The signature algorithm must use RSA encryption.
Cisco Unified Communications Operating System generates CSRs in privacy enhanced mail (PEM) encoding format. The system accepts certificates in DER and PEM encoding formats and PKCS#7 Certificate chain in PEM format. For all certificate types except certificate authority proxy function (CAPF), you must obtain and upload a certificate authority root certificate and an application certificate on each node.
For CAPF, obtain and upload a certificate authority root certificate and an application certificate only on the first node. CAPF and Unified Communications Manager CSRs include extensions that you must include in your request for an application certificate from the certificate authority. If your certificate authority does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:
-
The CAPF CSR uses the following extensions:
X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Certificate Sign
-
The CSRs for Tomcat and Tomcat-ECDSA, use the following extensions:
Note
Tomcat or Tomcat-ECDSA does not require the key agreement or IPsec end system key usage.
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
-
The CSRs for IPsec use the following extensions:
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
-
The CSRs for Unified Communications Manager use the following extensions:
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
-
The CSRs for the IM and Presence Service cup and cup-xmpp certificates use the following extensions:
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement,
Note |
You can generate a CSR for your certificates and have them signed by a third party certificate authority with a SHA256 signature. You can then upload this signed certificate back to Unified Communications Manager, allowing Tomcat and other certificates to support SHA256. |
Certificate Signing Request Key Usage Extensions
The following tables display key usage extensions for Certificate Signing Requests (CSRs) for both Unified Communications Manager and the IM and Presence Service CA certificates.
Multi server |
Extended Key Usage |
Key Usage |
|||||||
---|---|---|---|---|---|---|---|---|---|
Server Authentication (1.3.6.1.5.5.7.3.1) |
Client Authentication (1.3.6.1.5.5.7.3.2) |
IP security end system (1.3.6.1.5.5.7.3.5) |
Digital Signature |
Key Encipherment |
Data Encipherment |
Key Cert Sign |
Key Agreement |
||
CallManager CallManager-ECDSA |
Y |
Y |
Y |
Y |
N |
Y |
|||
CAPF (publisher only) |
N |
Y |
N |
Y |
N |
Y |
|||
ipsec |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
tomcat tomcat-ECDSA |
Y |
Y |
Y |
Y |
N |
Y |
|||
TVS |
N |
Y |
Y |
Y |
Y |
Y |
Multi server |
Extended Key Usage |
Key Usage |
|||||||
---|---|---|---|---|---|---|---|---|---|
Server Authentication (1.3.6.1.5.5.7.3.1) |
Client Authentication (1.3.6.1.5.5.7.3.2) |
IP security end system (1.3.6.1.5.5.7.3.5) |
Digital Signature |
Key Encipherment |
Data Encipherment |
Key Cert Sign |
Key Agreement |
||
cup cup-ECDSA |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
cup-xmpp cup-xmpp-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
||
cup-xmpp-s2s cup-xmpp-s2s-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Y |
||
ipsec |
N |
Y |
Y |
Y |
Y |
Y |
Y |
||
tomcat tomcat-ECDSA |
Y |
Y |
Y |
Y |
Y |
Y |
Note |
Ensure that ‘Data Encipherment’ bit is not changed or removed as part of the CA-signing certificate process. |