CA Certificates
Import CA Certificates to Target Server |
Generate CA Certificates for the Source Component Server |
Links |
---|---|---|
AW Machines | Unified CCE Components (Router, Logger1, Rogger2, PGs, AWs, and HDS | |
Customer Voice Portal (CVP) Call Server/CVP Reporting Server | ||
Email and Chat (ECE) |
See Enterprise Chat and Email Installation and Configuration Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/cisco-enterprise-chat-email/series.html |
|
Cisco Finesse Primary and Secondary | ||
Cisco Unified Communications Manager (CUCM) Publisher and Subscriber | ||
Virtualized Voice Browser (VVB) |
See Configuration Guide for Cisco Unified Customer Voice Portal at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html |
|
Cisco Unified Intelligence Center (CUIC) Publisher and Subscriber | ||
Cisco Identity Service (IdS) Publisher and Subscriber |
For more information, see https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-configuration-examples-list.html. Ensure to perform the instructions in IdS server. |
|
Cloud Connect Publisher and Subscriber | ||
Customer Collaboration Platform |
See Security Guide for Cisco Unified ICM/Contact Center Enterprise at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-and-configuration-guides-list.html |
|
Live Data Publisher and Subscriber | ||
PG |
CUCM Publisher |
|
VOS components |
||
Logger |
AW |
|
Rogger |
||
CVP |
Generate CSR
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, click the server name. |
Step 3 |
In the IIS area, double-click Server Certificates. |
Step 4 |
In the Actions pane, click Create Certificate Request. |
Step 5 |
In the Request Certificate dialog box, do the following:
|
Step 6 |
Specify a file name for the certificate request and click Finish. |
Create Trusted CA-Signed Server or Application Certificate
You can create CA-signed certificate in any one of the following ways:
-
Create certificate internally. Do the following:
-
Download the CA-signed certificate on each component server. Do the following: -
Open the CA server certificate page (https://<CA-server-address>/certsrv).
-
Click Request a Certificate and then click advanced certificate request. Then do the following: -
Copy the Certificate Request content in the Base-64-encoded certificate request box.
-
From the Certificate Template drop-down list, choose Web Server.
-
Click Submit.
-
Choose Base 64 encoded.
-
Click Download certificate and save it to the desired destination folder.
-
-
On the CA server certificate page, click Download a CA Certificate, Certificate Chain, or CRL, and then do the following: -
Select the Encoding method as Base 64.
-
Click Download CA Certificate and save it to the desired destination folder.
-
-
-
Import the Root CA and Intermediate Authority certificates into Windows trust store of every component. For more information on how to import CA certificates into Windows trust store, see Microsoft documentation.
-
Import the Root CA and Intermediate Authority certificates into Java keystore of every component. For more information, see Import CA Certificate into AW Machines.
-
Obtain certificate from a trusted Certificate Authority (CA). Do the following:
-
Send the CSR to a trusted Certificate Authority (CA) for sign-off.
-
Obtain the CA-signed application certificate, Root CA certificate, and Intermediate Authority certificate (if any).
-
Import the Root CA and Intermediate Authority certificates into Windows trust store of every component. For more information on how to import CA certificates into Windows trust store, see Microsoft documentation.
-
Import the Root CA and Intermediate Authority certificates into Java keystore of every component. For more information, see Import CA Certificate into AW Machines.
-
Produce Certificate Internally
Set up Microsoft Certificate Server for Windows Server
This procedure assumes that your deployment includes a Windows Server Active Directory server. Perform the following steps to add the Active Directory Certificate Services role on the Windows Server domain controller.
Before you begin
Before you begin, Microsoft .Net Framework must be installed. See Windows Server documentation for instructions.
Procedure
Step 1 |
In Windows, open the Server Manager. |
Step 2 |
In the Quick Start window, click Add Roles and Features . |
Step 3 |
In the Set Installation Type tab, select Role-based or feature-based installation , and then click Next. |
Step 4 |
In the Server Selection tab, select the destination server then click Next. |
Step 5 |
In the Server Roles tab, check the Active Directory Certificate Services box, and then click the Add Features button in the pop-up window. |
Step 6 |
In the Features and AD CS tabs, click Next to accept default values. |
Step 7 |
In the Role Services tab, verify that Certification Authority, Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service boxes are checked, and then click Next. |
Step 8 |
In the Confirmation tab, click Install. |
Step 9 |
After the installation is complete, click the Configure Active Directory Certificate Service on the destination server link. |
Step 10 |
Verify that the credentials are correct (for the domain Administrator user), and then click Next. |
Step 11 |
In the Role Services tab, check the Certification Authority, Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service boxes , and then click Next. |
Step 12 |
In the Setup Type tab, select Enterprise CA, and then click Next. |
Step 13 |
In the CA Type tab, select Root CA, and then click Next. |
Step 14 |
In the Private Key, Cryptography, CA Name, Validity Period, and Certificate Database tabs, click Next to accept default values. |
Step 15 |
In the following tabs, leave the default values, and click Next.
|
Step 16 |
Review the information in the Confirmation tab, and then click Configure. |
Upload and Bind CA-Signed Certificate
Upload CA-Signed Certificate to IIS Manager
Before you begin
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, click the server name. |
Step 3 |
In the IIS area, double-click Server Certificates. |
Step 4 |
In the Actions pane, click Complete Certificate Request. |
Step 5 |
In the Complete Certificate Request dialog box, complete the following fields:
|
Step 6 |
Click OK to upload the certificate. |
Bind CA-Signed Certificate to IIS Manager
Bind CCE Web Applications
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, choose . |
Step 3 |
In the Actions pane, click Bindings.... |
Step 4 |
Click the type https with port 443, and then click Edit.... |
Step 5 |
From the SSL certificate drop-down list, select the uploaded signed Certificate Request. |
Step 6 |
Click OK. |
Step 7 |
Navigate to and restart the IIS Admin Service. |
Bind Diagnostic Framework Service
Procedure
Step 1 |
Open the command prompt. |
||
Step 2 |
Navigate to the Diagnostic Portico home folder using: cd <ICM install directory>:\icm\serviceability\diagnostics\bin |
||
Step 3 |
Remove the current certificate binding to the Diagnostic Portico tool using: DiagFwCertMgr /task:UnbindCert |
||
Step 4 |
Open the signed certificate and copy the hash content (without spaces) of the Thumbprint field. Run the following command: DiagFwCertMgr /task:BindCertFromStore /certhash:<hash_value> |
||
Step 5 |
Validate if the certificate binding was successful using: DiagFwCertMgr /task:ValidateCertBinding
|
||
Step 6 |
Restart the Diagnostic Framework service by running the following command: sc stop "diagfwsvc" sc start "diagfwsvc" |
Import WSM CA Certificate into CVP
Procedure
Step 1 |
Log in to the Call Server or Reporting Server and retrieve the keystore password from the
|
||
Step 2 |
Remove the existing certificate by running %CVP_HOME%\jre\bin\keytool.exe -delete -alias wsm_certificate -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS. |
||
Step 3 |
Enter the keystore password when prompted. |
||
Step 4 |
Generate a new key pair for the alias with selected key size by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias wsm_certificate -v -validity <duration in days> -keysize 2048 -keyalg RSA.
|
||
Step 5 |
Generate the CSR certificate for the alias by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias wsm_certificate
-file %CVP_HOME%\conf\security\wsm.csr and save it to a file (for example, |
||
Step 6 |
Enter the keystore password when prompted. |
||
Step 7 |
Download |
||
Step 8 |
Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\ |
||
Step 9 |
Install the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -validity <duration in days> -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>. |
||
Step 10 |
Enter the keystore password when prompted. |
||
Step 11 |
Install the signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -validity <duration in days> -trustcacerts -alias wsm_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>. |
||
Step 12 |
Enter the keystore password when prompted. |
||
Step 13 |
Restart the Cisco CVP WebServicesManager service. |
Import CA Certificate into AW Machines
Procedure
Step 1 |
Log in to the AW-HDS-DDS Server. |
||
Step 2 |
Run the following command:
|
||
Step 3 |
Copy the Root or intermediate certificates to a location in AW Machine. |
||
Step 4 |
Run the following command and remove the existing certificate:
|
||
Step 5 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 6 |
At the AW machine terminal, run the following command:
|
||
Step 7 |
Enter the truststore password when prompted. |
||
Step 8 |
Go to Services and restart Apache Tomcat. |
Import VOS CA Certificate into PG
Before you begin
This procedure explains how to import CA certificates that signed a VOS component certificate to a PG server.
Procedure
Step 1 |
Copy the CA certificate to a location in the PG server. |
||
Step 2 |
Run the following command as an administrator at the target server (machine terminal):
|
||
Step 3 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 4 |
Go to Services and restart Apache Tomcat. |
Import CA Certificate into Cisco Unified CVP
Procedure
Step 1 |
Download Packaged CCE webadmin CA certificate to %CVP_HOME%\conf\security\. |
Step 2 |
Import the certificate to the CVP Call Server keystore - %CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias AW_cert -file %CVP_HOME%\conf\security\<AW certificate>. |
Import CA Certificate into Rogger/Logger
Procedure
Step 1 |
Log in to the Logger/Rogger Server. |
||
Step 2 |
Run the following command:
|
||
Step 3 |
Copy the Root or intermediate certificates to a location in Logger/Rogger VMs. |
||
Step 4 |
Remove the existing certificate by executing:
|
||
Step 5 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 6 |
At the Logger/Rogger machine terminal, run the following command:
|
||
Step 7 |
Enter the truststore password when prompted. |
||
Step 8 |
Go to Services and restart Apache Tomcat. |