How to deal with Certificates with Cisco Meeting Server Version 3.0.0?

Generate the Database cluster CSR.

For database you need to generate two CSRs with the corresponding private keys, the client and the server.

Use one CMS to generates these two CSRs, once you get the server and client certificates from your CA, copy the two certificates with their private keys to the second CMS-b using WinSCP.

Let’s start with cms-a which is the Master Database.

For Server certificate use the following command, give a name for example dbcert, it is important to put the CN to the FQDN of the Master Database cms-a and the SAN to the second cms-b, if you have multiple CMS, add their FQDN in the same line. For example: cms-b.lab.local,cms-c.lab.local,cms-d.lab.local.

cms-a>pki csr dbcert CN:cms-a.lab.local OU:CCNP O:Collaboration L:lab ST:local C:US subjectAltName:cms-b.lab.local

For Client certificate use the following command, give a name for example dbclt.

cms-a>pki csr dbclt CN:postgres

When generating Certificate for client, use the same template as the database certificate (Client and Server authentication).

Below example of the Client Certificate named dbclt after submitting the CSR to the CA.

Certificate configuration is required also for the Call Bridge, XMPP, Web Bridge and Web Admin services. Certificates should be signed by internal or external certificate authorities.

In a Single Server deployment the certificate should have the server FQDN as the Common Name (CN), in Cluster deployment, I use the domain name as the Common Name lab.local and the certificate must have the Subject Alternate Name (SAN) attributes, for example. XMPP, Join (WebRTC) etc.

To generate a Certificate Signing Request (CSR) and private key locally, the following command is used, I give the name 1cert:

pki csr 1cert CN:lab.local OU:CCNP O:Collaboration L:lab ST:local C:US subjectAltName:webbridge.lab.local,xmpp.lab.local,callbridge.lab.local,join.lab.local,webadmin.lab.local,cms-a.lab.local,cms-b.lab.local,*.lab.local

Below the Certificate named 1cert after submitting the CSR to the CA.

A chain certificate is required for Webbridge3 in version 3, it is a single file (with an extension of .pem, .cer or.crt) holding a copy of the Root CA’s certificate and all intermediate certificates in the chain.

To create a chain certificate, use a plain text editor such as notepad. All of the characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between —–END CERTIFICATE—– of certificate 1 and —–BEGIN CERTIFICATE—– of certificate 2. Certificate 1 will end with —–END CERTIFICATE—– and the very next line will have —–BEGIN CERTIFICATE—- for certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.

Download the CA ‘s certificate and copy it into the cms-a and cms-b using WinSCP.

Edit the certificate named 1cert created previously with nodepad.

Edit the CA’s certificate downloaded previously from the CA server with nodepad.

Past the 1cert certificate first and then past the CA’s certificate at the end, save the file with .cer extension. Name it fullchain.cer.

Below the Chain Certificate named fullchain.

Copy the three certificates with their private keys to cms-b using WinSCP.

Do the same for cms-a.

You use the pki list command to verify that the three certificates are present.

After a configuration (that is not shown in this blog).

The database on cms-a and cms-b is ready using the dbcert and dbclt certificates and verified by the CA (Bundle-CA certificate).

The callbridge on cms-a and cms-b is ready using the 1cert certificate and verified by the CA (Bundle-CA certificate).

The webadmin on cms-a and cms-b is ready using the 1cert certificate and verified by the CA (Bundle-CA certificate).

The webbridge3 on cms-a and cms-b is ready using the 1cert and the chain certificate fullchain and verified by the CA (Bundle-CA certificate).