Jabber and Public CA-signed Certificates (Part 3 of 3)

Posted by Dishko Hristov on Nov 16, 2017 12:19:30 PM

Jabber 3.png

In this third article, we will expand upon what we learned in part 1 and part 2 regarding Jabber and how to renew your CA-signed certificates. In this final article, we will examen the certification process within Cisco Expressway.

It is important to note that for Jabber Mobile and Remote Access (MRA) feature as well as for Business to Business calls (B2B), it is mandatory to have a CA-signed certificate on the Expressway-Edge node. On the other hand, there is no such requirement for Expressway-Core. However, Stack8 recommends a CA-signed certificate to be used on both Expressway servers.

Another requirement is to cross upload all Root and Intermediate certificates on both nodes in order for the Secure Traversal Zone to be active and communication between two Expressway nodes to work.

Do not forget to verify, every time you renew your certificates, if there is a change on the Root or any of the Intermediate certificates and Upload all new chain certs in the Trusted Certificates section of the server.

 


Cisco Expressway-C

Generate CSR :

Navigate to Maintenance > Security Certificates > Server Certificate > Generate CSR 

In the Additional alternative names section, you don’t need to add anything, fill in the rest of the fields.

Generate CSR when done.

  • Download the output file and submit it to your Certificate Authority for signing.

Install Certificate

  • Navigate to Maintenance > Security Certificates > Server Certificate > Upload new certificate 
  • Provide the certificate file and click on Upload server certificate data

 NOTE: Immediately after the upload, the web service will restart, this will cause all communication to drop.

If you receive an error, you may need to upload the Root CA and Root chain first. Root CA and the chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, navigate to Maintenance > Security Certificates > Trusted CA certificate

Provide the certificate file and click on Append CA certificate

 


Cisco Expressway-E

Generate CSR:

Navigate to Maintenance > Security Certificates > Server Certificate > Generate CSR

In the Additional alternative names section add all domains that have been used by jabber (external and internal). You have to add a common cluster name of the Expressway nodes if you have a cluster deployment, or in case you think in the future to deploy an Expressway cluster.

Also, make sure you add the names of the Phone Security Profiles in Cisco Unified CM that are configured for encrypted TLS and are used for devices requiring remote access (Applies only for CUCM in Mixed mode). 

Generate CSR when done.

  • Download the output file and submit it to your Certificate Authority for signing.

Install Certificate:

  • Navigate to Maintenance > Security Certificates > Server Certificate > Upload new certificate
  • Provide the certificate file and click on Upload server certificate data

NOTE: Immediately after the upload, the web service will restart, this will cause all communication to drop.

If you receive an error, you may need to upload the Root CA and Root chain first. Root CA and the chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, navigate to Maintenance > Security Certificates > Trusted CA certificate

Provide the certificate file and click on Append CA certificate

 Need help with Cisco Jabber


Secure Traversal Test

Once you upload newly signed certificates and Root as well as Intermediate certificates in the Trust CA certificates store, you should run a small test:

Go to Expressway-C - Maintenance – Security certificates – Secure traversal test

In the first field, enter the FQDN of an Expressway-E to test the secure traversal connection to it. The FQDN should be exactly as you would enter it in the secure traversal zone's peer list.

In the second field, enter the TLS verify name of the Expressway-C to test the secure traversal connection from it. The name should be exactly as you would enter it in the Expressway-E's' traversal zone TLS verify subject name field.

Result returned after the test should be ‘Success’!

Secure Traversal Test.png

If you are interested in learning more about Cisco Jabber or require assistance within your organization, please contact our Professional Services Team. 

Was this Article Helpful?

Subscribe to the Stack8 Blog

Topics: Jabber, cisco jabber, cisco expressway

Don’t miss out. Expert advice straight to your inbox!

Insightful tips, troubleshooting and solutions for your everyday Unified Communications challenges from our team of experts. You can look forward to:

  • Weekly UC tips;
  • Cisco Unified Communications insights;
  • UCCX - Contact Center insights;
  • Network and Security insights;
  • Cisco Release notes and Product reviews.
Join us for free live demo

Recent Posts