Cisco Meeting Server Certificate Requirements Demystified

I noticed that this part of Cisco Meeting Server Implementation Certificate Requirement is not enough detailed in many documentations and videos. Understanding this part of Certificate Requirement is mandatory to set up the Cisco Meeting Server and configure services such as webadmin, webbridge and callbridge, in this article I detailed as much as possible how to prepare the certificates how to deal with the certificate ‘s field such the Common Name, Subject Alternative Name and The chain certificate and how to enable the CMS Services.
See below an explanation that You will not find elesewhere.

Network Setting Configuration of Cisco Meeting Server

Log into HQ-CMS with default user admin and admin as password. After you log in, it asks you to change the password.

Change the hostname.

acano>hostname hq-cms

After this command, the CMS will ask you to reboot CMS in order to activate new hostname. You can reboot the CMS with the reboot command.



Configure a static IP address and a gateway. In this command, a is the name of a interface.

hq-cms>ipv4 a add

You need DNS and NTP servers for CMS to work properly. Considering that they are already up and running.

hq-cms>ntp server add

hq-cms>dns add forwardzone

Certificate Preparation for Cisco Meeting Server

Certificate configuration is required for the Call Bridge, XMPP, Web Bridge and Web Admin services. Certificates should be signed by internal or external certificate authorities.

To generate a Certificate Signing Request (CSR) and private key locally, the following command is used, I give the name cmscert.

hq-cms>pki csr cmscert OU:CCNP O:Collaboration L:Hydra ST:Algiers C:AL,,,,,,*.lab.local,

To retrieve the CSR, login to HQ-CMS using WinSCP.

Access the CA server

Start the Certification Authority console, select Certificate Template. Right-click the Certificate Template and select Manage.

Duplicate the Web Server template and configure the duplicate template to allow server and client authentication.

Configure the Template Name and Template display name of the duplicate template to CMS and Cisco Meeting Server respectively.

On the Certificate Console, issue a new certificate template named CMS.

Access the CA server GUI using the url

Click Request a certificate and the click advanced request certificate.

Edit the CSR in notepade and past the content. In the Certificate Template, select Cisco Meeting Server.

Select Base 64 Encoded and click Download certificate.

Below the Certificate named cmscert after submitting the CSR to the CA.

A chain certificate is required to trust the cmscert certificate when you will enable webadmin, callbridge.

A chain certificate is a single file (with an extension of .pem, .cer or.crt) holding a copy of the Root CA’s certificate and all intermediate certificates in the chain.

To create a chain certificate, you need the Root CA or the CA’s certificate and a Subordinate CA’s certificate with the Common Name :

To get a Subordinate CA’s certificate, we need to generate a CSR.

You can use openssl tool to generate a CSR with Common Name :

If you did not install openssl, you can generate the CSR on Cisco Meeting Server.

Access the HQ-CMS GUI using the url

From the CLI, type the following command, the name of the CSR is adcert and the Common Name is

hq-cms>pki csr adcert OU:CCNP O:Collaboration L:Hydra ST:Algiers C:AL

Retrieve the CSR named adcert using WinSCP, access HQ-CMS using WinSCP, then copy the adcert CSR into your PC.

Access the CA server GUI using the url

Click Request a certificate and the click advanced request certificate.

Edit the CSR in notepade and past the content. In the Certificate Template, select Subordinate Certification Authority.

Select Base 64 Encoded and click Download certificate.

Below the the Certificate named adcert after submitting the CSR to the CA.

Access the CA server GUI using the url

Click Download a CA certificate, certificate chain, or CRL.

Select Base 64, then click Download CA certificate, name it Root-CA.

Below the CA’s certificate.

Now the CA’s certificate and the Subordinate CA’s certificate with the Common Name : are ready, we can create a chain certificate.

To create a chain certificate, use a plain text editor such as notepad. All of the characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between —–END CERTIFICATE—– of certificate 1 and —–BEGIN CERTIFICATE—– of certificate 2. Certificate 1 will end with —–END CERTIFICATE—– and the very next line will have —–BEGIN CERTIFICATE—- for certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.

Edit the certificate named adcert created previously with nodepad.

Edit the Root-CA certificate with nodepad.

Past the adcert certificate first and then past the Root-CA certificate at the end, save the file with .cer extension. Name it CA-Chain.cer.

Below the Chain Certificate named CA-Chain.

A chain certificate is also required for Webbridge3 in version 3.

Edit the certificate named cmscert created previously with nodepad.

Edit the CA-Chain certificate created previously with nodepad.

Past the cmscert certificate first and then past the CA-Chain certificate at the end, save the file with .cer extension. Name it CMS-Chain.cer.

Below the Chain Certificate named CMS-Chain.

Copy the three certificates cmscert, CA-Chain and CMS-Chain to hq-cms using WinSCP.

You can use the pki list command to verify that the three certificates are present.

Enabling the Web Admin Service

By default, Web Admin listens on HTTPS port of 443. However, we will enable the Web Bridge for conference users and this service will be available on the default HTTPS port 443. To enable both services to co-exist, we will configure Web Admin to listen on port 445.

On CMS-A, specify the interface and HTTPS port 445 for the web interface.

hq-cms>webadmin listen a 445

For the certificate to be used, specify the certificate cmscert created in previously with the relevant key.

hq-cms>webadmin certs cmscert.key cmscert.cer CA-Chain.cer

Route HTTP requests to HTTPS

hq-cms>webadmin http-redirect enable

Finally activate the web admin service.

Verify that  the webadmin service is running is using the webadmin command.

License Activation using Cisco Meeting Management

Access the Cisco Meeting Management GUI hq-cmm.

In the Settings at the right, go to License, click Change and select Smart Licensing option.

Click Save.

Add a CallBridge to CM

Click Servers to add a Callbridge to CMM. Click Add Call Bridge.

Add the following information:

a. Server Address:

b. Port: 445

c. Username: admin

d. Password: (password of CMS)

e. Display name: hq-cms

Check the Use Trusted Certificate Chain boxes. Upload the chain certificate CA-Chain created previously.

Navigate to License at the right, and click the Start Trial button at the left. Make sure the CMM has internet connectity to register for Trial Mode.

Callbridge Configuration

Configure callbridge on HQ-CMS listen on the interface a.

hq-cms>callbridge listen a

Specify the certificate cmscert created in previously with the relevant key.

hq-cms>callbridge certs cmscert.key cmscert.cer CA-Chain.cer

Restart the callbridge

hq-cms>callbridge restart

Verify the callbridge on both HQ-CMS.

Webbridge 3 Configuration

From the HQ-CMS CLI, enter the following commands.

On both HQ-CMS,verify the webbridge3 configuration.

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories Collaboration1 Comment

One thought on “Cisco Meeting Server Certificate Requirements Demystified”

  1. For create any bundles certificates you can use CMD command like as: copy cert1.cer + cert2.cer cert1cert2.cer )))


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s