Introduction
This document describes a step-by-step procedure to create certificate templates on Windows Server-based Certification Authorities (CA).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- CUCM version 11.5(1).
- Basic knowledge of Windows Server administration
Components Used
The information in this document is based on these software and hardware versions:
- CUCM Version 11.5(1).
- Microsoft Windows Server 2012 R2 with CA services installed.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background information
These certificate templates are compliant with X.509 extension requirements for every type of Cisco Unified Communications Manager (CUCM) certificate.
There are five types of certificates that can be signed by an external CA:
Certificate
|
Use
|
Impacted Services
|
Callmanager
|
Presented at secure device registration and can sign Certificate Trust List (CTL)/Internal Trust List (ITL) files, used for secure interactions with other servers such as secure Session Initiation Protocol (SIP) Trunks.
|
· Cisco Call Manager
· Cisco CTI Manager
· Cisco TFTP
|
tomcat
|
Presented for Secure Hypertext Transfer Protocol (HTTPS) interactions.
|
· Cisco Tomcat
· Single Sign-On (SSO)
· Extension Mobility
· Corporate Directory
|
ipsec
|
Used for backup file generation, as well as IP Security (IPsec) interaction with Media Gateway Control Protocol (MGCP) or H323 gateways.
|
· Cisco DRF Primary
· Cisco DRF Local
|
CAPF
|
Used to generate Locally Significant Certificates (LSC) for phones.
|
· Cisco Certificate Authority Proxy Function
|
TVS
|
Used to create a connection to the Trust Verification Service (TVS) when the phones are not able to authenticate an unknown certificate.
|
· Cisco Trust Verification Service
|
Note: ipsec certificate is not related to Cisco DRF Primary and Cisco DRF Local since 14, in newer versions, Tomcat certificate is used instead. There is no plan to add this change to 12.5 or earlier versions.
Each of these certificates has some X.509 extension requirements that need to be set, otherwise, you can encounter misbehavior on any of the aforementioned services:
Certificate
|
X.509 Key Usage
|
X.509 Extended Key Usage
|
Callmanager
|
· Digital Signature
· Key Encipherment
· Data Encipherment
|
· Web Server Authentication
· Web Client Authentication
|
tomcat
|
· Digital Signature
· Key Encipherment
· Data Encipherment
|
· Web Server Authentication
· Web Client Authentication
|
ipsec
|
· Digital Signature
· Key Encipherment
· Data Encipherment
|
· Web Server Authentication
· Web Client Authentication
· IPsec End System
|
CAPF
|
· Digital Signature
· Certificate Sign
· Key Encipherment
|
· Web Server Authentication
· Web Client Authentication
|
TVS
|
· Digital Signature
· Key Encipherment
· Data Encipherment
|
· Web Server Authentication
· Web Client Authentication
|
For more information, reference the Security Guide for Cisco Unified Communications Manager
Configure
Step 1. On the Windows Server, navigate to Server Manager > Tools > Certification Authority, as shown in the image.
![Configure Step 1](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-00.png)
Step 2. Select your CA, then navigate to Certificate Templates, right-click on the list and select Manage, as shown in the image.
![Select CA and Certificate Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-01.png)
Callmanager / Tomcat / TVS Template
The next images display only the creation of the CallManager template; but the same steps can be followed to create the certificate templates for the Tomcat and the TVS services. The only difference is to ensure the respective service name is used for each new template in step 2.
Step 1. Find the Web Server template, right-click on it and select Duplicate Template, as shown in the image.
![Web Server Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-02.png)
Step 2. Under General, you can change the certificate template's name, display name, validity, and some other variables.
![Update Certificate Template Information](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-03.png)
Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.
![Template Properties and Key Usage](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-04.png)
Step 4. Select these options and select OK, as shown in the image.
- Digital signature
- Allow key exchange only with key encryption (key encipherment)
- Allow encryption of user data
![Edit Key Usage Extension](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-05.png)
Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.
![Application Policies](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-06.png)
![Client Authentication](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-07.png)
Step 6. Search for Client Authentication, select it and select OK on both this window and the previous one, as shown in the image.
![Select Apply and Ok](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-08.png)
Step 7. Back on the template, select Apply and then OK.
![Close Certificate Template Console](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-09.png)
Step 8. Close the Certificate Template Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.
![Select New CallManager CUCM Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-10.png)
Step 9. Select the new CallManager CUCM template and select OK, as shown in the image.
![Find Web Server Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-11.png)
Step 10. Repeat all previous steps to create certificate templates for the Tomcat and TVS services as needed.
IPsec Template
Step 1. Find the Web Server template, right-click on it and select Duplicate Template, as shown in the image.
![Web Server Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-12.png)
Step 2. Under General, you can change the certificate template’s name, display name, validity, and some other vairiables.
![Update Certification Information for IPsec Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-13.png)
Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.
![Edit Key Usage](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-14.png)
Step 4. Select these options and select OK, as shown in the image.
- Digital signature
- Allow key exchange only with key encryption (key encipherment)
- Allow encryption of user data
![Select Options and Ok](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-15.png)
Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.
![Edit Application Policies](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-16.png)
![Search for Client Authentication](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-17.png)
Step 6. Search for Client Authentication, select it and then OK, as shown in the image.
![Select Add and Search for IP Security and System](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-18.png)
Step 7. Select Add again, search for IP security end system, select it and then select OK on this and on the previous window as well.
![Select Apply and Ok on Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-19.png)
Step 8. Back on the template, select Apply and then OK, as shown in the image.
![Close the Certificate Templates Console](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-20.png)
Step 9. Close the Certificate Templates Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.
![Select New IPsec CUCM Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-21.png)
Step 10. Select the new IPSEC CUCM template and select OK, as shown in the image.
![Find Root CA Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-22.png)
CAPF Template
Step 1. Find the Root CA template and right-click on it. Then select Duplicate Template, as shown in the image.
![Under General, Update Template Information](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-23.png)
Step 2. Under General, you can change the certificate template’s name, display name, validity, ans some other variables.
![Navigate to Extensions and Key Usage](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-24.png)
Step 3. Navigate to Extensions > Key Usage > Edit, as shown in the image.
![Select Options and then Ok](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-25.png)
Step 4. Select these options and select OK, as shown in the image.
- Digital signature
- Certificate signing
- CRL signing
![CS Image](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-26.png)
Step 5. Navigate to Extensions > Application Policies > Edit > Add, as shown in the image.
![Application Policies, Edit and Add](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-27.png)
![Add Server Authentication](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-28.png)
Step 6. Search for Client Authentication, select it and then select OK, as shown in the image.
![Search for Client Authentication](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-29.png)
Step 7. Select Add again, search for IP security end system, select it and then select OK on this and on the previous window as well, as shown in the image.
![Search for IP Security End System](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-30.png)
Step 8. Back on the template, select Apply and then OK, as shown in the image.
![Back on Template, Select Apply and Ok](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-31.png)
Step 9. Close the Certificate Templates Console window, and back on the very first window, navigate to New > Certificate Template to Issue, as shown in the image.
![Close Certificate Templates Console Window](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-32.png)
Step 10. Select the new CAPF CUCM template and select OK, as shown in the image.
![Select CAPF CUCM Template](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-33.png)
Generate a Certificate Signing Request
Use this example in order to generate a CallManager certificate with the use of the newly created templates. The same procedure can be used for any certificate type, you just need to select the certificate and template types accordingly:
Step 1. On CUCM, navigate to OS Administration > Security > Certificate Management > Generate CSR.
Step 2. Select these options and select Generate, as shown in the image.
- Certificate Purpose: CallManager
- Distribution: <This can either be just for one server or Multi-SAN>
![Generate a Certificate Signing Request](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-34.png)
Step 3. A confirmation message is generated, as shown in the image.
![Confirmation Message Generated](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-35.png)
Step 4. On the certificate list, look for the entry with type CSR Only and select it, as shown in the image.
![Entry Type CSR Only](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-36.png)
Step 5. On the pop-up window, select Download CSR, and save the file on your computer.
![Pop-Up Window, Select Download CSR](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-37.png)
Step 6. On your browser, navigate to this URL, and enter your domain controller administrator credentials: https://<yourWindowsServerIP>/certsrv/.
Step 7. Navigate to Request a certificate > advanced certificate request, as shown in the image.
![Navigate to this URL](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-38.png)
![Request a Certificate, Advanced Certificate](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-39.png)
Step 8. Open the CSR file and copy all its contents:
![Open CSR File and Copy All Contents](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-40.png)
Step 9. Paste the CSR in the Base-64-encoded certificate request field. Under Certificate Template, select the correct template and select Submit, as shown in the image.
![Paste the CSR in the Base-64-Encoded-Certificate-Request Field](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-41.png)
Step 10. Finally, select Base 64 encoded and Download certificate chain. The generated file can now be uploaded to the CUCM.
![Select Base 64 Encoded and Download Certificate](/c/dam/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/215534-create-windows-ca-certificate-templates-42.png)
Verify
The verification procedure is actually part of the configuration process.
Troubleshoot
There is currently no specific troubleshoot information available for this configuration.