Cisco Communications Manager 10.5 Certificates BUG

Finally we get cluster-wide certificate management via multi-SAN certificate support. EDIT 6/10/2014 – and I immediately find a SEV2 bug working with TAC Bug ID:CSCup28852. Callmanager hates this certificate and sends group resets every ITL refresh meaning your phones reboot every 10 minutes or so. Fixed in a later CUCM version but not available for download at this time.

You need to properly set up your Microsoft CA to provide the proper certificate template.

  1. New Certificate template “Web Server X509v3”
    1. Certificate purposes – Server authentication, client authentication, IP security end system
    2. Key usage – Digital signature, Non repudiation (I add this so this can also be used for the VMware hosts, Key encipherment, data encryption. When you are in “Key Usage” you cannot assign Key Agreement and Key Encryption. You want to select “key encipherment”
    3. Key length: 2048
    4. Hash: SHA256
  2. Generate Multi-SAN certificate request from your CUCM publisher
    1. Certificate purpose: tomcat
    2. Distribution: Multi-server (SAN)
    3. Common name: Can be left as-is of put in a vanity name
      1. Auto-populated Domains
      2. This should list all of your CUCM and IM&P nodes in the cluster.
    4. Parent domain!
      1. Be sure this is the parent DNS domain your SERVERS are residing in. There are some caveats here if you have servers in different domains
      2. Example:
    5. Other domains!
      1. ADD your directory URI domains (AKA e-mail domain).
      2. Example:
    6. Key Length: 2048
    7. Hash: SHA265
  3. Submit the CSR to the Microsoft CA via http://ca-server/certsrv
  4. Upload the CA root and any intermediates
  5. Upload the new certificate to CUCM publisher

Enjoy that you didn’t have to do that on every cluster node!

Reminder: If Jabber is connecting to Voicemail you need to go to Unity Connection and create CSR and assign a certificate for each Unity Connection node. Jabber will still prompt for a certificate error if Unity Connection is un-signed.