Create Windows CA Certificate Templates for CUCM

Available Languages

Download Options

  • PDF     (2.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.5 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 21, 2024
Document ID:215534

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a step-by-step procedure to create certificate templates on Windows Server-based Certification Authorities (CA).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • CUCM version 11.5(1).
    • Basic knowledge of Windows Server administration

    Components Used

    The information in this document is based on these software and hardware versions:

    • CUCM Version 11.5(1).
    • Microsoft Windows Server 2012 R2 with CA services installed.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background information

    These certificate templates are compliant with X.509 extension requirements for every type of Cisco Unified Communications Manager (CUCM) certificate.

    There are five types of certificates that can be signed by an external CA:

    Certificate

    Use

    Impacted Services

    Callmanager

    Presented at secure device registration and can sign Certificate Trust List (CTL)/Internal Trust List (ITL) files, used for secure interactions with other servers such as secure Session Initiation Protocol (SIP) Trunks.

    ·  Cisco Call Manager

    ·  Cisco CTI Manager

    ·  Cisco TFTP

    tomcat

    Presented for Secure Hypertext Transfer Protocol (HTTPS) interactions.

    ·  Cisco Tomcat

    ·  Single Sign-On (SSO)

    ·  Extension Mobility

    ·  Corporate Directory

    ipsec

    Used for backup file generation, as well as IP Security (IPsec) interaction with Media Gateway Control Protocol (MGCP) or H323 gateways.

    ·  Cisco DRF Primary

    ·  Cisco DRF Local

    CAPF

    Used to generate Locally Significant Certificates (LSC) for phones.

    ·  Cisco Certificate Authority Proxy Function

    TVS

    Used to create a connection to the Trust Verification Service (TVS) when the phones are not able to authenticate an unknown certificate.

    · Cisco Trust Verification Service

    Note: ipsec certificate is not related to Cisco DRF Primary and Cisco DRF Local since 14, in newer versions, Tomcat certificate is used instead. There is no plan to add this change to 12.5 or earlier versions.

    Each of these certificates has some X.509 extension requirements that need to be set, otherwise, you can encounter misbehavior on any of the aforementioned services:

    Certificate

    X.509 Key Usage

    X.509 Extended Key Usage

    Callmanager

    ·   Digital Signature

    ·   Key Encipherment

    ·   Data Encipherment

    ·  Web Server Authentication

    ·  Web Client Authentication

    tomcat

    ·   Digital Signature

    ·   Key Encipherment

    ·   Data Encipherment

    ·  Web Server Authentication

    ·  Web Client Authentication

    ipsec

    ·   Digital Signature

    ·   Key Encipherment

    ·   Data Encipherment

    ·  Web Server Authentication

    ·  Web Client Authentication

    ·  IPsec End System

    CAPF

    ·   Digital Signature

    ·   Certificate Sign

    ·   Key Encipherment

    ·  Web Server Authentication

    ·  Web Client Authentication

    TVS

    ·   Digital Signature

    ·   Key Encipherment

    ·   Data Encipherment

    ·  Web Server Authentication

    ·  Web Client Authentication

    For more information, reference the Security Guide for Cisco Unified Communications Manager

    Configure

    Step 1. On the Windows Server, navigate to Server Manager > Tools > Certification Authority, as shown in the image.

    Configure Step 1

    Step 2. Select your CA, then navigate to Certificate Templates, right-click on the list and select Manage, as shown in the image.

    Select CA and Certificate Template

    Callmanager / Tomcat / TVS Template

    The next images display only the creation of the CallManager template; but the same steps can be followed to create the certificate templates for the Tomcat and the TVS services. The only difference is to ensure the respective service name is used for each new template in step 2.

    Step 1. Find the Web Server template, right-click on it and select Duplicate Template, as shown in the image.

    Web Server Template

    Step 2. Under General, you can change the certificate template's name, display name, validity, and some other variables.

    Update Certificate Template Information

    Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.

    Template Properties and Key Usage

    Step 4. Select these options and select OK, as shown in the image.

    • Digital signature
    • Allow key exchange only with key encryption (key encipherment)
    • Allow encryption of user data

    Edit Key Usage Extension

    Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.

    Application PoliciesClient Authentication

    Step 6. Search for Client Authentication, select it and select OK on both this window and the previous one, as shown in the image.

    Select Apply and Ok

    Step 7. Back on the template, select Apply and then OK.

    Close Certificate Template Console

    Step 8. Close the Certificate Template Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.

    Select New CallManager CUCM Template

    Step 9. Select the new CallManager CUCM template and select OK, as shown in the image.

    Find Web Server Template

    Step 10. Repeat all previous steps to create certificate templates for the Tomcat and TVS services as needed.

    IPsec Template

    Step 1. Find the Web Server template, right-click on it and select Duplicate Template, as shown in the image.

    Web Server Template

    Step 2. Under General, you can change the certificate template’s name, display name, validity, and some other vairiables.

    Update Certification Information for IPsec Template

    Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.

    Edit Key Usage

    Step 4. Select these options and select OK, as shown in the image.

    • Digital signature
    • Allow key exchange only with key encryption (key encipherment)
    • Allow encryption of user data

    Select Options and Ok

    Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.

    Edit Application PoliciesSearch for Client Authentication

    Step 6. Search for Client Authentication, select it and then OK, as shown in the image.

    Select Add and Search for IP Security and System

    Step 7. Select Add again, search for IP security end system, select it and then select OK on this and on the previous window as well.

    Select Apply and Ok on Template

    Step 8. Back on the template, select Apply and then OK, as shown in the image.

    Close the Certificate Templates Console

    Step 9. Close the Certificate Templates Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.

    Select New IPsec CUCM Template

    Step 10. Select the new IPSEC CUCM template and select OK, as shown in the image.

    Find Root CA Template

    CAPF Template

    Step 1. Find the Root CA template and right-click on it. Then select Duplicate Template, as shown in the image.

    Under General, Update Template Information

    Step 2. Under General, you can change the certificate template’s name, display name, validity, ans some other variables.

    Navigate to Extensions and Key Usage

    Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.

    Select Options and then Ok

    Step 4. Select these options and select OK, as shown in the image.

    • Digital signature
    • Certificate signing
    • CRL signing

    CS Image

    Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.

    Application Policies, Edit and AddAdd Server Authentication

    Step 6. Search for Client Authentication, select it and then select OK, as shown in the image.

    Search for Client Authentication

    Step 7. Select Add again, search for IP security end system, select it and then select OK on this and on the previous window as well, as shown in the image.

    Search for IP Security End System

    Step 8. Back on the template, select Apply and then OK, as shown in the image.

    Back on Template, Select Apply and Ok

    Step 9. Close the Certificate Templates Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.

    Close Certificate Templates Console Window

    Step 10. Select the new CAPF CUCM template and select OK, as shown in the image.

    Select CAPF CUCM Template

    Generate a Certificate Signing Request

    Use this example in order to generate a CallManager certificate with the use of the newly created templates. The same procedure can be used for any certificate type, you just need to select the certificate and template types accordingly:

    Step 1. On CUCM, navigate to OS Administration > Security > Certificate Management > Generate CSR.

    Step 2. Select these options and select Generate, as shown in the image.

    • Certificate Purpose: CallManager
    • Distribution: <This can either be just for one server or Multi-SAN>

    Generate a Certificate Signing Request

     Step 3. A confirmation message is generated, as shown in the image.

    Confirmation Message Generated

    Step 4. On the certificate list, look for the entry with type CSR Only and select it, as shown in the image.

    Entry Type CSR Only

    Step 5. On the pop-up window, select Download CSR, and save the file on your computer.

    Pop-Up Window, Select Download CSR

    Step 6. On your browser, navigate to this URL, and enter your domain controller administrator credentials: https://<yourWindowsServerIP>/certsrv/.

    Step 7. Navigate to Request a certificate > advanced certificate request, as shown in the image.

    Navigate to this URLRequest a Certificate, Advanced Certificate

    Step 8. Open the CSR file and copy all its contents:

    Open CSR File and Copy All Contents

    Step 9. Paste the CSR in the Base-64-encoded certificate request field. Under Certificate Template, select the correct template and select Submit, as shown in the image.

    Paste the CSR in the Base-64-Encoded-Certificate-Request Field

    Step 10. Finally, select Base 64 encoded and Download certificate chain. The generated file can now be uploaded to the CUCM.

    Select Base 64 Encoded and Download Certificate

    Verify


    The verification procedure is actually part of the configuration process.


    Troubleshoot


    There is currently no specific troubleshoot information available for this configuration.

    Revision History

    Revision Publish Date Comments
    3.0
    21-Feb-2024
    Updated Alt Text, Article Description, Biased Language and Formatting.
    2.0
    20-Jan-2023
    Change some gerunds and the format od some titles
    1.0
    24-Sep-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mauro Cabral
      Cisco TAC Engineer
    • Michael Mendoza
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products