This page explains the procedures for obtaining and installing the security certificates required for Extended UC functionality.
TLS with a CA-signed Certificate
The transport between OCS and VX is Mutual Transport Layer Security (MTLS). In order to support this transport protocol, VX requires the following:
- DNS-resolvable fully qualified domain name (FQDN)
- Signed certificate (for VX)
- Root certificate (the certificate that signed the above certificate)
Obtaining a CA-signed Certificate
Use the steps in this section to obtain a Certificate Authority (CA) signed certificate.
To Generate a Certificate Request
- Using your DNS management tool (such as dnsmgmt), add the VX fully qualified domain name to your DNS server.
From the VX CLI, generate a certificate request using the generate certificate request SHA-1 2048 command as shown below:
The certificate request is automatically saved in the VX node Certificates folder, for example:
- Copy the certificate request from the VX node to your computer using VXbuilder Manage File function or FTP.
After you have generated a certificate request and copied the request file to your computer, you can now use the contents of the request to generate a certificate for your VX node.
To Generate a Certificate Using the Certificate Request
- On your computer, open the certificate request file you created in the previous procedure with a text editor, such as WordPad.
- In the text editor, select the entire contents of the file and copy them to the paste buffer.
Open an web browser and navigate to the CA server. In the case of the reference (demo) system, this location is: https://demo4.vx.net/certsrv
Always use the administrator@domain login
- On the CA server, click the Request Certificate link.
- Click the advanced certificate request link.
- In the Advanced Certificate Request page, click the option to submit your request using a base 64-encoded CMC or PKCS.
Paste the contents of the certificate request file into the CA server form.
There are two slightly different types of certificate enrollment forms, as shown below.
If you have this form like this, in the Template field, select Web Server.
- Click the Submit button to request the certificate, and then do one of the following:
- With some request forms, the certificate may automatically be issued. If so, skip to Download the certificate and follow the steps to save to a file.
- Other request forms require further processing. In which case, the CA server will display a Certificate Pending message, noting that your certificate request has been received and is pending.
If you are using a local Microsoft Certification Authority for your certificate, you or your CA administrator must follow these steps in order to fulfill the certificate request. Otherwise you must wait until the Certificate Authority processes and issues your certificate.
To Issue a Requested Certificate Using Microsoft Certificate Authority Management
- On the server running the Certificate Authority Services, navigate to the Administrative Tools page, and select Certification Authority.
- In the Pending Requests folder, right click the pending certificate and select All Tasks > Issue.
- Exit the Certification Authority application.
After requesting a certificate and waiting for the request to be processed, you must return to the certificate authority to download your completed certificate.
To Retrieve an Issued Certificate
- Use an web browser to connect to the CA server web interface.
- Select link to view the status of the pending certificate.
- Select the certificate request you want to view.
Select the Base 64 encodedoption and click the link to download the certificate.
You must use a Base 64 encoded option, otherwise the certificate will not be compatible with VX.
- Click the Save button to save the certificate to a file. Use a file name that ends with
Downloading the CA (Root) Certificate
The CA root certificate is used to sign the VX (vxgw.vx.net) certificate generated in the previous procedures. Use the steps in this section to Download a CA (Root) Certificate.
The certificate must be imported to the VX root certificate store, as well as to any device that will perform TLS/MTLS with VX. This certificate must be the same root certificate that signed the OCS certificate.
- Using a web browser, navigate to the CA server and then select an option to Download a CA certificate.
- Select Base 64encoding option and then do one of the following:
- Click the link to download the CA certificate.
Click the link to download a CA certificate chain.
If you are using a certificate chain rather than a single root certificate, then download the chain and then upload the saved .p7b file to the VX certificates directory. Follow the remainder of the instructions to install the root certificates. Remember to use the .p7b extension!
- Save the file to the filename: certroot.cer
Install the Certificates on a VX Node
At this point, you should have a security certificate files for the VX node (certmy.cer) and either a CA root certificate (certroot.cer) file or a CA certificate chain (*.p7b) file. The next step is to import the certificates on your VX node.
To Import Certificates on a VX Node
- Copy the certificate files to the VX Certificate directory (for example:
D_PUBLIC\Certificates) using FTP.
In the VX Command Line Interface (CLI), import both the root certificate or the certificate chain using the
import certcommand as shown below. If you are installing from a certificate chain, use the .p7b file.
Import the root certificates or certificate chain before the VX certificate.
Make a note of the
storename so you can verify the import process. In the example below, the certificate store name is ("root").
In the VX CLI, import the VX certificate using the
import certcommand as shown below.
Make a note of the
storename so you can verify the import process. In the example below, the certificate store name is ("my").
In the VX CLI, reboot the VX node using the
reboot system nowto complete the configuration.
In the VX CLI, verify that the certificates were imported successfully using the
sho certcommand, as shown below:
Update VX Configuration for the New VX Certificates
The last step in this process is to update your VX node configuration to use the new certificates.
To Update a VX Node for New Certificates
- In VXbuilder, connect to your VX node and receive its Configuration Data.
- In the VXbuilder settings tree, click tree-root > General, then double click inside the right panel to open the General Settings dialog.
- In the Certificate section, Certificate Name field enter the name of the new VX certificate (not the root certificate).
- In VXbuilder, open the Trunk Group settings dialog for your OCS Trunk Group (tree-root > Telephony > Trunk Groups).
- In the OCS Trunk Group dialog, click the SIPtab and modify the following settings:
- In the Outbound Proxy field, enter the OCS Pool fully qualified domain name.
- Enable the Direct OCS Trunk option.
- In the SIP Transport section, select the Enable Mutual TLS and Reuse TLS Connection options.
- In the SIP Security section, enable the SIP URI in TLS option.
- In the ICE section, select the Enable ICE option.
- Restart VX for configuration changes to take effect.