McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 81

↗ View in doc context
page
81
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::71

Procedure Step 1 From Cisco Unified OS Administration, choose Security > Certificate Management. Step 2 Click Upload Certificate/Certificate Chain. Step 3 In the Upload Certificate/Certificate Chain popup window, choose CallManager-trust from the Certificate Purpose drop-down list and browse to the certificate authority-signed CAPF root certificate. Step 4 Click Upload after the certificate appears in the Upload File field. Update the CTL File Use this procedure to update the CTL file via a CLI command. If mixed mode is enabled, you must update the CTL file whenever you upload a new certificate. Procedure Step 1 From the Unified Communications Manager publisher node, log in to the Command Line Interface. Step 2 Run the utils ctl update CTLFile command. When the CTL file regenerates, the file gets uploaded to the TFTP server and sent to phones automatically. Interactions and Restrictions • SIP devices that do not support TLS_ECDHE_ECDSA_WITH_AES256_SHA384 and TLS_ECDHE_ECDSA_WITH_AES128_SHA256 can still connect with TLS_ECDHE_RSA_WITH_AES_256_SHA384, TLS_ECDHE_RSA_WITH_AES_128_SHA256, or AES128_SHA. These options are dependent on the TLS cipher option that you choose. If you choose ECDSA only option, then the device that does not support the ECDSA ciphers will not be able make a TLS connection to the SIP interface. When you choose the ECDSA only option, the value of this parameter are TLS_ECDHE_ECDSA_WITH_AES128_SHA256 and TLS_ECDHE_ECDSA_WITH_AES256_SHA384. • CTI Manager Secure clients do not support TLS_ECDHE_RSA_WITH_AES_128_SHA256 , TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256, andTLS_ECDHE_ECDSA_WITH_AES_256_SHA384.However,theycanconnectwithAES128_SHA. • The Unified Communications Manager do not support multiple certificates with same SubjectDN to be uploaded on the same trust store. For the server to differenciate between new and existing certificates, We recommend the users to use new CN with a different name or suffix it with characters for example, SubjectDN-issue-CA-G2 or SubjectDN-issue-CA-2023. A hash link would be created for the same. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 63 Basic System Security Update the CTL File