This page explains the procedures for obtaining and installing the security certificates required for Extended UC functionality.
|Table of Contents|
TLS with a CA-signed Certificate
The transport between OCS and VX is Mutual Transport Layer Security (MTLS). In order to support this transport protocol, VX requires the following:
- DNS-resolvable fully qualified domain name (FQDN)
- Signed certificate (for VX)
- Root certificate (the certificate that signed the above certificate)
Obtaining a CA-signed Certificate
Use the steps in this section to obtain a Certificate Authority (CA) signed certificate.
To Generate a Certificate Request
- Using your DNS management tool (such as dnsmgmt), add the VX fully qualified domain name to your DNS server.
From the VX CLI, generate a certificate request using the generate certificate request SHA-1 2048 command as shown below:
UCdemo> en Password: ******* UCdemo# UCdemo# generate certificate request SHA-1 2048 Enter the Common Name (Subject Name): vxgw2.vx.net Enter your email address: email@example.com Enter the Organization Name: NET Enter Locality: Fremont Enter the State: California Enter the Country: US (country code must be 2 letters only) Enter the Filename for the certificate request(default is request.cer) Enter the Filename: request.cer Generating a certificate request was successful.
The certificate request is automatically saved in the VX node Certificates folder, for example:
- Copy the certificate request from the VX node to your computer using VXbuilder Manage File function or FTP.
After you have generated a certificate request and copied the request file to your computer, you can now use the contents of the request to generate a certificate for your VX node.
To Generate a Certificate Using the Certificate Request
- On your computer, open the certificate request file you created in the previous procedure with a text editor, such as WordPad.
- In the text editor, select the entire contents of the file and copy them to the paste buffer.
Open an web browser and navigate to the CA server. In the case of the reference (demo) system, this location is: https://demo4.vx.net/certsrv
Always use the administrator@domain login
- On the CA server, click the Request Certificate link.
- Click the advanced certificate request link.
- In the Advanced Certificate Request page, click the option to submit your request using a base 64-encoded CMC or PKCS.
Paste the contents of the certificate request file into the CA server form.
There are two slightly different types of certificate enrollment forms, as shown below.
If you have this form like this, in the Template field, select Web Server.
- Click the Submit button to request the certificate, and then do one of the following:
- With some request forms, the certificate may automatically be issued. If so, skip to Download the certificate and follow the steps to save to a file.
- Other request forms require further processing. In which case, the CA server will display a Certificate Pending message, noting that your certificate request has been received and is pending.
If you are using a local Microsoft Certification Authority for your certificate, you or your CA administrator must follow these steps in order to fulfill the certificate request. Otherwise you must wait until the Certificate Authority processes and issues your certificate.
To Issue a Requested Certificate Using Microsoft Certificate Authority Management
- On the server running the Certificate Authority Services, navigate to the Administrative Tools page, and select Certification Authority.
- In the Pending Requests folder, right click the pending certificate and select All Tasks > Issue.
- Exit the Certification Authority application.
After requesting a certificate and waiting for the request to be processed, you must return to the certificate authority to download your completed certificate.
To Retrieve an Issued Certificate
- Use an web browser to connect to the CA server web interface.
- Select link to view the status of the pending certificate.
- Select the certificate request you want to view.
Anchor download-certificate download-certificate
Select the Base 64 encodedoption and click the link to download the certificate.
You must use a Base 64 encoded option, otherwise the certificate will not be compatible with VX.
- Click the Save button to save the certificate to a file. Use a file name that ends with
Downloading the CA (Root) Certificate
The CA root certificate is used to sign the VX (vxgw.vx.net) certificate generated in the previous procedures. Use the steps in this section to Download a CA (Root) Certificate.
The certificate must be imported to the VX root certificate store, as well as to any device that will perform TLS/MTLS with VX. This certificate must be the same root certificate that signed the OCS certificate.
- Using a web browser, navigate to the CA server and then select an option to Download a CA certificate.
- Select Base 64encoding option and then do one of the following:
- Click the link to download the CA certificate.
Click the link to download a CA certificate chain.
If you are using a certificate chain rather than a single root certificate, then download the chain and then upload the saved .p7b file to the VX certificates directory. Follow the remainder of the instructions to install the root certificates. Remember to use the .p7b extension!
- Save the file to the filename: certroot.cer
Install the Certificates on a VX Node
At this point, you should have a security certificate files for the VX node (certmy.cer) and either a CA root certificate (certroot.cer) file or a CA certificate chain (*.p7b) file. The next step is to import the certificates on your VX node.
To Import Certificates on a VX Node
- Copy the certificate files to the VX Certificate directory (for example:
D_PUBLIC\Certificates) using FTP.
In the VX Command Line Interface (CLI), import both the root certificate or the certificate chain using the
import certcommand as shown below. If you are installing from a certificate chain, use the .p7b file.
Import the root certificates or certificate chain before the VX certificate.
Make a note of the
storename so you can verify the import process. In the example below, the certificate store name is ("root").
UCdemo# import cert certroot.cer store root Importing certificate: Certificate name vxca Issuer name vxca Signature algorithm sha1RSA Validity period starts 1/18/2009 04:02:55 Validity period ends 1/18/2014 04:12:53 Certificate thumbprint DEE7283DB6038EB092779ADF6ECE8EA74AD0CA60 Certificate usages Importing a certificate was successful. WARNING: VX Reboot required to save the file.
In the VX CLI, import the VX certificate using the
import certcommand as shown below.
Make a note of the
storename so you can verify the import process. In the example below, the certificate store name is ("my").
UCdemo# import cert certmy.cer store my Importing certificate: Certificate name vxgw2.vx.net Issuer name vxca Signature algorithm sha1RSA Validity period starts 8/7/2009 02:54:02 Validity period ends 8/7/2011 02:54:02 Certificate thumbprint A2FCAF40F074F55BBE98328C721010DF813A71E2 Certificate usages Server Authentication Importing a certificate was successful. WARNING: VX Reboot required to save the file.
In the VX CLI, reboot the VX node using the
reboot system nowto complete the configuration.
UCdemo# reboot system now Are you sure you want to reboot [yes/no]: y Rebooting system.
In the VX CLI, verify that the certificates were imported successfully using the
sho certcommand, as shown below:
UCdemo> en Password: ******* UCdemo# sho cert root Issued To Issued By Type Expiration ------------------------------ ------------------------------ ----------- ------------------ Microsoft Root Certificate Au Microsoft Root Certificate Au self-signed 5/9/2021 23:28:13 vxca vxca self-signed 8/31/2012 23:21:27 UCdemo# sho cert my Issued To Issued By Type Expiration ------------------------------ ------------------------------ ----------- ------------------ vxgw2.vx.net vxca CA-signed 9/6/2008 19:53:28 UCdemo#
Update VX Configuration for the New VX Certificates
The last step in this process is to update your VX node configuration to use the new certificates.
To Update a VX Node for New Certificates
- In VXbuilder, connect to your VX node and receive its Configuration Data.
- In the VXbuilder settings tree, click tree-root > General, then double click inside the right panel to open the General Settings dialog.
- In the Certificate section, Certificate Name field enter the name of the new VX certificate (not the root certificate).
- In VXbuilder, open the Trunk Group settings dialog for your OCS Trunk Group (tree-root > Telephony > Trunk Groups).
- In the OCS Trunk Group dialog, click the SIPtab and modify the following settings:
- In the Outbound Proxy field, enter the OCS Pool fully qualified domain name.
- Enable the Direct OCS Trunk option.
- In the SIP Transport section, select the Enable Mutual TLS and Reuse TLS Connection options.
- In the SIP Security section, enable the SIP URI in TLS option.
- In the ICE section, select the Enable ICE option.
- Restart VX for configuration changes to take effect.