McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 58

↗ View in doc context
page
58
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::45

When you install Cisco Unified Communications Manager, you must enter information for the security certificate, including the country. This information is used to create the Certificate Signing Request. After you complete the installation, you cannot change the country using the set web-security command; ensure that you enter a valid country code during the installation. Note Unified Communications Manager supports only PEM (.pem) and DER (.der) formatted certificates. The maximum size of certificate supported for DER or PEM is 4096 bits. Note Unified Communications Manager does not support certificates with wildcard entry. For example, "*.cisco.com". Note If there is an expired certificate in any of the Unified Communications Manager trust store, these certificates will not be imported during upgrade to release 12.5(1)SU6 and 14SU2 or higher. Note When you upload two certificates, make sure that they have the same name and validity period but different serial numbers and signature algorithms. For Example, Root CA with 27:20:41:0c:5b:08:69:80:42:62:4f:13:bd:16:06:6aserial number and SHA-1 algorithm exists in Unified Communications Manager tomcat-trust. When you attempt to upload the certificate with 7b:35:33:71:0b:7c:08:b2:47:b3:aa:f9:5c:0d:ca:e4 serial number and SHA-256 algorithm, the certificate management: • Verifies the incoming certificate validity. • Searches the certificate with the same name in the Tomcat trust folder. • Compares the serial number of the certificate existing in the Tomcat trust folder and the incoming certificate that you're uploading. If the serial numbers are different, it verifies the validity start date of both the certificates. If the start timestamp of the new incoming certificate is the latest, then it replaces the existing certificate else it's not uploaded. Both SHA-1 and SHA-256 algorithms have the same subject name or common name, which implies that they belong to the same entity. The Unified Communications Manager framework doesn't support both these algorithms on the Unified Communications Manager server simultaneously. It supports only one certificate that belongs to any entity in a particular trust folder, irrespective of the signature algorithm. Certificate Types This section provides an overview of the different types of certificates and certificate signing request key usage extensions. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 40 Basic System Security Certificate Types