Create Windows CA Certificate Templates For CUCM
Create Windows CA Certificate Templates tsComponents UsedBackground informationConfigureCallmanager TemplateTomcat TemplateIPsec TemplateCAPF TemplateTVS TemplateGenerate a CertificateVerifyTroubleshootIntroductionThis document provides a step-by-step procedure in order to create certificate templates onWindows Server-based Certification Authorities (CA), that are compliant with X.503 extensionrequirements for every type of Cisco Unified Communications Manager (CUCM) certificate.PrerequisitesRequirementsCisco recommends that you have knowledge of these topics: CUCM version 11.5(1) or laterBasic knowledge of Windows Server administration is also recommendedComponents UsedThe information in this document is based on these software and hardware versions:The information in this document is based on CUCM Version 10.5(2) or later.Microsoft Windows Server 2012 R2 with CA services installed.The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.
Background informationThere are five types of certificates that can be signed by an external CA:CertificateUsePresented at secure deviceregistration, can sign CertificateTrust List (CTL)/Internal Trust ListCallmanager (ITL) files, used for secureinteractions with other servers suchas secure Session InitiationProtocol (SIP) Trunks.tomcatipsecCAPFTVSPresented for Secure HypertextTransfer Protocol (HTTPS)interactions.Used for backup file generation, aswell as IP Security (IPsec)interaction with Media GatewayControl Protocol (MGCP) or H323gateways.Used to generate LocallySignificant Certificates (LSC) forphones.Used to create a connection to theTrust Verification Service (TVS),when the phones are not able toauthenticate an unknowncertificate.Impacted Services· Cisco Call Manager· Cisco CTI Manager· Cisco TFTP· Cisco Tomcat· Single Sign-On (SSO)· Extension Mobility· Corporate Directory· Cisco DRF Master· Cisco DRF Local· Cisco Certificate Authority ProxyFunction·Cisco Trust Verification ServiceEach of these certificates has some X.509 extension requirements that need to be set, otherwise,you can encounter misbehaviours on any of the aforementioned services:CertificateX.509 Key UsageX.509 Extended Key Usage· Digital Signature· Key Encipherment · Web Server AuthenticationCallmanager· Data Encipherment · Web Client Authentication· Key Agreement· Digital Signature· Key Encipherment · Web Server Authenticationtomcat· Data Encipherment · Web Client Authentication· Key Agreement· Digital Signature· Web Server Authentication· Key Enciphermentipsec· Web Client Authentication· Data Encipherment· IPsec End System· Key Agreement· IPsec End System· Digital SignatureCAPF· TWeb Server Authentication· Certificate Sign· Web Client Authentication· Digital Signature· Web Server AuthenticationTVS· Certificate Sign· Web Client Authentication
For more information, reference the Administration Guide for Cisco Unified CommunicationsManager.ConfigureStep 1. On the Windows Server, navigate to Server Manager Tools Certification Authority,as shown in the image.Step 2. Select your CA, then navigate to Certificate Templates, right-click on the list and selectManage, as shown in the image.
Callmanager TemplateStep 1. Find the Web Server template, right-click on it and select Duplicate Template, as shownin the image.Step 2. Under General, you can change the certificate template’s name, display name, validity,etc.
Step 3. Navigate to Extensions Key Usage Edit, as shown in the image.
Step 4. Select these options and click OK, as shown in the image. Digital signatureAllow key exchange only with key encryption (key encipherment)Allow encryption of user data
Step 5. Navigate to Extensions Application Policies Edit Add, as shown in the image.
Step 6. Search for Client Authentication, select it and click OK on both this window and theprevious one, as shown in the image.
Step 7. Back on the template, select Apply and then OK.
Step 8. Close the Certificate Template Console window, and back on the very first window,navigate to New Certificate Template to Issue, as shown in the image.
Step 9. Select the new CallManager CUCM template and select OK, as shown in the image.
Tomcat TemplateStep 1. Find the Web Server template, right-click on it and then select Duplicate Template, asshown in the image.Step 2. Under General, you can change the certificate template’s name, display name, validity,etc.
Step 3. Navigate to Extensions Key Usage Edit, as shown in the image.
Step 4. Select these options and click OK, as shown in the image. Digital signatureAllow key exchange only with key encryption (key encipherment)Allow encryption of user data
Step 5. Navigate to Extensions Application Policies Edit Add, as shown in the image.
Step 6. Search for Client Authentication and select it and then select OK on both this windowand the previous one.
Step 7. Back on the template, select Apply and then OK, as shown in the image.
Step 8. Close the Certificate Templates Console window, and back on the very first window,navigate to New Certificate Template to Issue, as shown in the image.
Step 9. Select the new Tomcat CUCM template and click on OK, as shown in the image.
IPsec TemplateStep 1. Find the Web Server template, right-click on it and select Duplicate Template, as shownin the image.Step 2. Under General, you can change the certificate template’s name, display name, validity,etc.
Step 3. Navigate to Extensions Key Usage Edit, as shown in the image.
Step 4. Select these options and select OK, as shown in the image. Digital signatureAllow key exchange only with key encryption (key encipherment)Allow encryption of user data
Step 5. Navigate to Extensions Application Policies Edit Add, as shown in the image.
Step 6. Search for Client Authentication, select it and then OK, as shown in the image.
Step 7. Select Add again, search for IP security end system, select it and then click OK on thisand on the previous window as well.
Step 8. Back on the template, select Apply and then OK, as shown in the image.
Step 9. Close the Certificate Templates Console window, and back on the very first window,navigate to New Certificate Template to Issue, as shown in the image.
Step 10. Select the new IPSEC CUCM template and click on OK, as shown in the image.
CAPF TemplateStep 1. Find the Root CA template and right-click on it. Then select Duplicate Template, asshown in the image.Step 2. Under General, you can change the certificate template’s name, display name, validity,etc.
Step 3. Navigate to Extensions Key Usage Edit, as shown in the image.
Step 4. Select these options and select OK, as shown in the image. Digital signatureCertificate signingCRL signing
Step 5. Navigate to Extensions Application Policies Edit Add, as shown in the image.
Step 6. Search for Client Authentication, select it and then select OK, as shown in the image.
Step 7. Select Add again, search for IP security end system, select it and then click OK on thisand on the previous window as well, as shown in the image.
Step 8. Back on the template, select Apply and then OK, as shown in the image.
Step 9. Close the Certificate Templates Console window, and back on the very first window,navigate to New Certificate Template to Issue, as shown in the image.
Step 10. Select the new CAPF CUCM template and select OK, as shown in the image.
TVS TemplateStep 1. Find the Root Certification Authority template and right-click on it. Thenselect Duplicate Template, as shown in the image.Step 2. Under General, you can change the certificate template’s name, display name, validity,etc.
Step 3. Navigate to Extensions Key Usage Edit, as shown in the image.
Step 4. Select these options and then OK, as shown in the image. Digital signatureAllow key exchange only with key encryption (key encipherment)Allow encryption of user data
Step 5. Navigate to Extensions Application Policies Edit Add, as shown in the image.
Step 6. Search for Client Authentication and select it and then select OK on both this windowand the previous one, as shown in the image.
Step 7. Back on the template, select Apply and then OK, as shown in the image.
Step 8. Close the Certificate Templates Console window, and back on the very first window,navigate to New Certificate Template to Issue, as shown in the image.
Step 9. Select the new TVS template and click OK, as shown in the image.
Generate a CertificateUse this example in order to generate a CallManager certificate with the use of the newly createdtemplates. The same procedure can be used for any certificate type, you just need to select thecertificate and template types accordingly:Step 1. On CUCM, navigate to OS Administration Security Certificate Management Generate CSR.Step 2. Select these options and select Generate, as shown in the image. Certificate Purpose: CallManagerDistribution: This can either be just for one server or Multi-SAN
Step 3. A confirmation message is generated, as shown in the image.Step 4. On the certificate list, look for the entry with type CSR Only and select it, as shown in theimage.
Step 5. On the pop-up window, select Download CSR, and save the file on your computer.Step 6. On your browser, navigate to this URL, and enter your domain controller administratorcredentials: https:// yourWindowsServerIP /certsrv/.Step 7. Navigate to Request a certificate advanced certificate request, as shown in theimage.
Step 8. Open the CSR file and copy all its contents:Step 9. Paste the CSR on the Base-64-encoded certificate request field. Under CertificateTemplate, select the correct template and click Submit, as shown in the image.
Step 10. Finally, select Base 64 encoded and Download certificate chain, the generated file cannow be uploaded the CUCM.VerifyThe verification procedure is actually part of the configuration process.TroubleshootThere is currently no specific troubleshooting information available for this configuration.
templates. The same procedure can be used for any certificate type, you just need to select the certificate and template types accordingly: Step 1. On CUCM, navigate to OS Administration Security Certificate Management Generate CSR. Step 2. Select these options and select Generate, as shown in the image. Certificate Purpose: CallManager
The Windows The Windows Universe Universe Windows 3.1 Windows for Workgroups Windows 95 Windows 98 Windows 2000 1990 Today Business Consumer Windows Me Windows NT 3.51 Windows NT 4 Windows XP Pro/Home. 8 Windows XP Flavors Windows XP Professional Windows XP Home Windows 2003 Server
AutoCAD 2000 HDI 1.x.x Windows 95, 98, Me Windows NT4 Windows 2000 AutoCAD 2000i HDI 2.x.x Windows 95, 98, Me Windows NT4 Windows 2000 AutoCAD 2002 HDI 3.x.x Windows 98, Me Windows NT4 Windows 2000 Windows XP (with Autodesk update) AutoCAD 2004 HDI 4.x.x Windows NT4 Windows 2000 Windows XP AutoCAD 2005 HDI 5.x.x Windows 2000 Windows XP
A computer with at least a 450MHz Pentium CPU with 128 MB of RAM, running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8/8.1, Windows 10, Windows Server 2012, Windows Server 2016 or Windows Server 2019 platforms. Instal
Web Services Description Language (WSDL) X.509 XML XML namespace XML schema (XSD) The following terms are specific to this document: certificate enrollment: See certificate and enrollment. certificate enrollment policy: The collection of certificate templates and certificate issuers available to the requestor for X.509 certificate enrollment.
Windows 8.1 *6 Windows Server 2003 *7 Windows Server 2008 *8 Windows Server 2012 *9 Mac OS X *10: Supported *1 Printer drivers support both 32-bit and 64-bit Windows. *2 Microsoft Windows XP Professional Edition/Microsoft Windows XP Home Edition *3 Microsoft Windows Vista Ultimate/Microsoft Windows Vista Enterprise/Microsoft Windows Vista Business/
Templates & Drilling 1-Cut out all templates, on the INSIDE of the lines shown, and trace or spray glue onto 1/8" hardboard for permanent templates. Cut out, sand the edges smooth, & label all pieces. Trace all templates onto the final stock of pine or ceda
EIOPA Explanatory notes on reporting templates Variation Analysis templates 1.1. EIOPA has received in the last months a number of Q&A addressing the reporting of Variation Analysis templates (S.29.01 to S.29.04). The Q&A received covered most of the templates and put into question how the templates are to be interpreted in many areas.
The API Aboveground Storage Tank Inspector Certification Examination is designed to identify individuals who have satisfied the minimum qualifications specified in API Standard 653, Tank Inspection, Repair, Alteration, and Reconstruction. Questions may be taken from anywhere within each document in this Body of Knowledge (BOK), unless specifically excluded herein. In the event that specific .
