Cisco recommends
using server certificates that are signed by one of the following types of
Certificate Authority (CA):
- Public CA - A third-party
company verifies the server identity and issues a trusted certificate.
- Private CA - You create and
manage a local CA and issue trusted certificates.
The signing
process varies for each product and can vary between server versions. It is
beyond the scope of this document to provide detailed steps for every version
of each server. Refer the appropriate server documentation for detailed
instructions on how to get certificates signed by a CA.
However, the
following steps provide a high-level overview of the procedure:
Every server certificate should have an associated root certificate present in the trust store on client computers. Cisco
UC applications validate the certificates that servers present against the root certificates in the trust store.
If you get server certificates signed by a public CA, the public CA should already have a root certificate present in the
trust store on the client computer. In this case, you do not need to import root certificates on the client computers.
You should import root certificates if the certificates are signed by a CA that does not already exist in the trust store,
such as a private CA.
In SAML SSO, the IdP and service providers must have CA signed certificates with the correct domains in the CN or SAN. If the correct
CA certificates are not validated, the browser issues a pop up warning.
For example, when the administrator points the browser to https://www.cucm.com/ccmadmin; the Unified Communications Manager portal presents a CA certificate to the browser. When the browser is redirected to https://www.idp.com/saml , the IdP presents a CA certificate. The browser will check that the certificate presented by the servers contains CN or
SAN fields for that domain, and that the certificate is signed by a trusted CA.
Alternatively, if the customer has their own private CA, then that CA must be installed as a root trust anchor on the computers
that the administrator is launching their browser from.