How to deal with Certificates with Cisco Meeting Server Version 3.0.0?

Generate the Database cluster CSR.

For database you need to generate two CSRs with the corresponding private keys, the client and the server.

Use one CMS to generates these two CSRs, once you get the server and client certificates from your CA, copy the two certificates with their private keys to the second CMS-b using WinSCP.

Let’s start with cms-a which is the Master Database.

For Server certificate use the following command, give a name for example dbcert, it is important to put the CN to the FQDN of the Master Database cms-a and the SAN to the second cms-b, if you have multiple CMS, add their FQDN in the same line. For example: cms-b.lab.local,cms-c.lab.local,cms-d.lab.local.

cms-a>pki csr dbcert CN:cms-a.lab.local OU:CCNP O:Collaboration L:lab ST:local C:US subjectAltName:cms-b.lab.local

For Client certificate use the following command, give a name for example dbclt.

cms-a>pki csr dbclt CN:postgres

When generating Certificate for client, use the same template as the database certificate (Client and Server authentication).

Below example of the Client Certificate named dbclt after submitting the CSR to the CA.

Certificate configuration is required also for the Call Bridge, XMPP, Web Bridge and Web Admin services. Certificates should be signed by internal or external certificate authorities.

In a Single Server deployment the certificate should have the server FQDN as the Common Name (CN), in Cluster deployment, I use the domain name as the Common Name lab.local and the certificate must have the Subject Alternate Name (SAN) attributes, for example. XMPP, Join (WebRTC) etc.

To generate a Certificate Signing Request (CSR) and private key locally, the following command is used, I give the name 1cert:

pki csr 1cert CN:lab.local OU:CCNP O:Collaboration L:lab ST:local C:US subjectAltName:webbridge.lab.local,xmpp.lab.local,callbridge.lab.local,join.lab.local,webadmin.lab.local,cms-a.lab.local,cms-b.lab.local,*.lab.local

Below the Certificate named 1cert after submitting the CSR to the CA.

A chain certificate is required for Webbridge3 in version 3, it is a single file (with an extension of .pem, .cer or.crt) holding a copy of the Root CA’s certificate and all intermediate certificates in the chain.

To create a chain certificate, use a plain text editor such as notepad. All of the characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between —–END CERTIFICATE—– of certificate 1 and —–BEGIN CERTIFICATE—– of certificate 2. Certificate 1 will end with —–END CERTIFICATE—– and the very next line will have —–BEGIN CERTIFICATE—- for certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.

Download the CA ‘s certificate and copy it into the cms-a and cms-b using WinSCP.

Edit the certificate named 1cert created previously with nodepad.

Edit the CA’s certificate downloaded previously from the CA server with nodepad.

Past the 1cert certificate first and then past the CA’s certificate at the end, save the file with .cer extension. Name it fullchain.cer.

Below the Chain Certificate named fullchain.

Copy the three certificates with their private keys to cms-b using WinSCP.

Do the same for cms-a.

You use the pki list command to verify that the three certificates are present.

After a configuration (that is not shown in this blog).

The database on cms-a and cms-b is ready using the dbcert and dbclt certificates and verified by the CA (Bundle-CA certificate).

The callbridge on cms-a and cms-b is ready using the 1cert certificate and verified by the CA (Bundle-CA certificate).

The webadmin on cms-a and cms-b is ready using the 1cert certificate and verified by the CA (Bundle-CA certificate).

The webbridge3 on cms-a and cms-b is ready using the 1cert and the chain certificate fullchain and verified by the CA (Bundle-CA certificate).

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at ipdemystify.com and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories Collaboration4 Comments

4 thoughts on “How to deal with Certificates with Cisco Meeting Server Version 3.0.0?”

  1. Hello
    Bundle-CA certificate it is Issue_CA + Root_CA and fullchain.cer it is 1cert + Issue_CA +Root_CA, it is correct?

    Like

  2. Hi Sergey, Chain Certificate (Bundle-CA.cer) = Subordinate Cert + CA certificate “Root-CA” while fullchain.cer = 1cert.cer + Bundle-CA.cer

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s