Just a quick overview of the process for installing CA signed certs on CUCM. Certs can be signed for a public CA, which would essentially allow the certs to be trusted by most modern browsers and applications. Certs can also be signed by an internal Enterprise CA; however, in this scenario the server certificates will only be trusted by devices to which the enterprise root certificate has already been distributed to as a trusted root certificate.
NOTE: if you are installing certs for secure voice, you will first need to start the CAPF service.
You will first generate a certificate signing request on CUCM under the Unified Operating System Administration interface. Click Security >> Certificate Management.
You will click Generate CSR and generate a certificate signing request for either Tomcat, or Call Manager. Tomcat certs will be used for http/https access as well as Jabber access. Call Manager certs will be used for functionality relating to device registration and secure voice. Generate the CSR, then download the CSR and upload it to the CA for signing.
Once you have the signed cert back from the CA, you will upload the signed server certificate, as well as the trusted root certificate, to Communications Manager. The certs will be uploaded as follows:
If you are installing a trusted certificate for secure http access or Jabber access, install the certificates as noted below:
Trust root certificate: Tomcat-trust
Signed server certificate: Tomcat
After the certificates are installed, restart the Cisco Tomcat service on each node from the command line using the command ‘utils service restart Cisco Tomcat’. A few minutes after Tomcat has restarted, you should be able to access CCMADMIN, or login to Jabber without being prompted to accept untrusted certificates.
If you are installing a trusted certificate for secure voice, install the certificates as noted below:
Trust root certificate: CallManager-Trust
Signed server certificate: CallManager
After the certificates are installed, you will need to restart the following services:
Cisco TFTP
Cisco Call Manager
Cisco CTI
