CCNP Collaboration 2020 Self Study Kit - Deploying Certificates for Cisco Collaboration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Falcon Cisco kelabra instructor at boys bootcamp in this video we're going to discuss about using certificate now certificate is one of the most important thing going forward in your collaboration deployment Cisco Unified Communication Manager use certificate to that use public infrastructure or PKI in order to validate the servers and client identity it it presents a certificate to Unified Communication Manager in order to verify its identity now when another system for example like a phone or media server tries to communicate with the Unified Communication Manager the Unified Communication Manager will not trust other system and will deny access unless it has a matching certificate in its appropriate trust store so if you're going to connect try to connect to me then I'm going to make sure that I have a matching certificate approach that I can trust your sort of failure you provided to me now certificate file is a file that contains a certificate holder named public key digital signature of the certificate authority that is known as CA that is issuing the certificate a certificate proves the identity of the owner of the certificate now for Cisco Unified cm to be able to process an encrypted communication you have to enable mixed-mode authentication now by default a mixed mode is basically simply where Cu cm will be able to process encrypted and unencrypted signaling so mixed mode basically means that CCM can handle both type of encrypted and unencrypted traffic now by default mixed mode is disabled when you go to the enterprise parameter you will see the mixed mode or cluster security settings is set to zero that's an indication that the mixed mode is disabled starting with Cu CM version 10.04 is enabled by default so prior to version 10 it is required to use two of the hardware keys now from an enterprise parameters shown in your in the next slide you will see that by defects mixed mode enabled you can run following commands so if you for some reason see that your end up in your enterprise parameter that the mixed mode is disabled you can SSH to your call manager server issue the following command utils CTL data set - cluster mix - mode this will ensure that your server is running in mixed mode some organizations such as the bank or the government or maybe some sort of law-enforcement organization they may have a restriction where it says only encrypted traffic will be allowed so in that case you may want to disable the mixed mode concept now certificate there are many different types of certificates you have you got server certificate and a certificate authority server certificate which are used to validate the a device that could be a PC could be a phone could be an endpoint that is connecting to network and can be trusted whether or not a security risk exists so here you got a call manager you got a certificate authority server which will issue a certificate for the call manager by requesting a certificate the issuing server server that which could be public or private will then issue a certificate to the call match and matching his identity then Hoonah whenever he try to communicate to the call manager co-managers gonna validate the certificate by you should by asking you to send the certificate to you you then validate that wait at the certificate authority to ensure that all the identities are accurate a server certificate are issued by certificate authority or CA now when a server certificate receives a CA or root server receives a request for server certificate they perform a check on the request to validate its legitimacy if the check passes they will issue a certificate which can be loaded onto the server a device connecting to a server in this case let's say laptop when it's trying to connect to the server the device will receive a copy of the certificate from the call manager and assuming that trust the issuing certificates so if the call manager is a certificate to you to the laptop the laptop will need to be able to send what nine I trust this guy because I know the company that issued that certificate because I have their root certificate in my system so let's assume that the call magic got the certificate from a company called GoDaddy okay and on your laptop you should have the GoDaddy root server so when the server issues a certificate to the laptop laptop will look at is good at is root certificate see if the certificate that server sends is actually signed by GoDaddy and if it is true based on hash and every any many other component then obviously the client wouldn't trust the server now there are many different public CA our certificate authority you got some Symantec Verisign AWS GoDaddy and many other companies or that around the globe so who will be able to issue certificate for a small fee if public CA issued a certificate will be required on a server that are running on the Internet so for example if you're going to run Cisco expressway online banking surveys ecommerce website secure payment sites you want to make sure that you obtain a public certificate from an authorized CA user however connecting to the private they can use a private certificate user connecting to a public server will need to trust the CA that is issued a certificate so your browser your computer must have the the root certificate of all the well-known certificate provider around the globe and if in case it doesn't you can manually install the root certificate of the server but then again you have to keep in mind that that may not necessarily be always trusted so you always have to make sure that you do a due diligence make sure that the certificate root server is actually authenticate that and somebody else is not actually just pretending to be then when connecting device would reject if the certificate the root certificate is not correct so what will happen is it will simply say no this is invalid certificate do you wish to continue or obviously is your choice are there the day if you want to continue or not some cases it will offer you for example it will reject your call and let me show you how what I mean by call certificate or warning so as you can see right now that I'm getting an error message saying that your connection is not private so that means that although is giving you warning but you still can log in but some application will basically reject the call now the private CA can be deployed behind the firewall so for example if you have a private CA and you have a server inside you could literally get a certificate from the private CA for internal communication but anything that is on outside you should always obtain a certificate from your public see a certification that you have all right so these will save Enterprise time money since internal servers that do not need to be recognized by third party so if you use the public private CA it will save you time and it will save you money because sometime it may takes a few days or a couple of hours for the certificate server to be shoed certificate to be issued where if you have an internal you can issue them at any time you want now certificate signing request a certificate validation process use a symmetric encryption to ensure the authentication authenticity of a certificate now I submit you get two type of an encryption you have you got cement trick in symmetric encryption and a symmetric think about the symmetric is when I create our open thus I create I encrypt my file with a key that I did generate in order for you to open that file you need to get a copy of my key so I have to share my key with you so if I have 20 people I have to share my key manually with all those 20 people but a symmetric encryption will use two keys he got a private key he got a private key and he got a public key the anything encrypted with the public key can only be unencrypted with the private corresponding private key and vice versa anything encrypted with the Prime he can only be unencrypted with the public key so the private key is held securely on the server so again anything encrypted with the public key can only be in unencrypted with a private with the private and vice-versa anything encrypted with the private key can only be unencrypted with the following public key so the private key is held securely on the CES server the public safe private key is held on the CS server where the private key will be published for anyone who trusts the CA certificate will be issued by the CA which are encrypted with CS private key if Enterprise Trust the CA they will use the C as public key to unencrypted certificate if the certificate can be in unencrypted then it must have issued by the unrecognized a CA therefore it can be trust a recognize CA sorry therefore it can be trust if you cannot unencrypted it that means it's been issued by a certificate server that your client do not trust all certificate authority published a CA certificate the published certificate includes CS company details the validated dates the copy of the public key and all client will contain this information in their own trust so if I am looking at my laptop or right now this computer that you're saying what I'm gonna do and if I go to a certificate server you'll see that there is something called certificate manager computer use certificate basically it is a container where all your certificate that you will be installed so here you will see the certificate there are all those details are here so there is a folder a subfolder called root certificate trusted root certificate this is where you see all the certificate that you have for that is trusted by your laptop or PC around the globe so these are the root certificate of the well-known established now it is possible that at some time a new company emerge and they are also issuing a certificate but they haven't been around for long for all the browsers the computers to have their certificate trusted well in that case what you can do you can download their certificate root certificate and install it here so what I'm going to do right now is I'm going to show you how to download a root certificate from zero SSL certificate so I'm gonna go to zero ssl.com zero SSL comes free gives you free certificate and if you go to the starting process and are not here we're gonna go to first [Music] if you read that it said they obtained they give you a certificate from this website called let's encrypt is based on less in encrypt certificate I believe is a you have to look at their details one second all right so in their documentation it gets less encrypt certificates you got to go to their website which is right here let's encrypt org this is a free organization that offers you free as a soft certificate you can go to the documentation donate get help whatever options you have and there you'll see call their chain of certificate the root certificate I'm going to download those root certificate right here and this is what the root certificate that they provide so what I'm going to do is right now and copy that into my notepad and I will save it as let's call this let's encrypt and I'm gonna save it on my PDF folder or call this cert root cert let's encrypt dot CER okay so I've saved that file now I'm going to import it into my computer so what I'm gonna do is I'm gonna open my certificate server I'm gonna go to file action and all tasks actually not there right here on the certificate I'm going to all tasks and import this will allow me to import the root certificate I'm gonna do it for the whole machine rather than particular user I'm going to select that file that I have if you know saved and this will be located on the PDF folder on my desktop and this is the certificate I want so I can click OK and it's gonna ask you where do you want to store that now remember I selected the certificate container under the root so it will automatically show you that but in case you did not you don't see that what you want to do you click on browse and you want to go to the trusted root certificate it's important that that certificate the root certificate is actually in that folder because your browsers are looking in that folder for the root so you will select that you click next next finish and it will tell you the certificates in successful was imported successfully and once that is true you can scroll down until you see the certificate is should be somewhere there you have to spend a little time to make sure you see that so sometimes you may even want to refresh it right there that's the certificate that I just downloaded and it's now trusted by this organization called lesson CREP now of course at that moment you can get more details about the certificate and all the details that you need and this certificate is valid for pretty much 2035 so pretty good so now all I have to do is issue start working on a generally more certificate for my servers once I am ready to at that moment all right so Unified Communication Manager or call manager they use multiple different type of certificate you got the Tomcat you got call manager CA PF you got IPSec and TBS so the Tomcat certificate which is for HTTP server anyone accessing the HTTP services from the call manager or IMM presence will use this certificate to validate the server the any application in endpoints jabber client accessing the call manager usually will then use the caller manager certificate so you this will be used when you're trying to access the HTTP or web page like by going to the web browser called manager certificate will be used by application and point jabber client when they're trying to register to call manager they use the call manager certificate you got CA PF or which is use aligned with a global certificate policy for CRA PF with other services we'll talk about that later in our certificate sections IPSec used for IPSec tunnel between the Gateway and see you cm TBS which is used to validate trusted verification service connection now Cisco Unified Communication Manager requires a CA and server certificate which needs to be uploaded for each services across the cluster so for example a CA and a server certificate must be uploaded to Tomcat service and separately uploaded for call manager services the same certificate I'm talking about the you will create one certificate for server certificate but it has to be applied twice one as a Tomcat services and one will be as a call manager services certificate so the root certificate will be applied twice one for Tomcat trusts one for call manager trust and the server certificate will be same which is one certificate which will be applied twice one for Tomcat and one for call manager the certificate can be the same CA however the certificate server certificate must up be uploaded once for each side the services that support certificate verifications are listed in the following table as I said right there these are the service or certificates that are service supported now this certificate will be shared across all the servers in your cluster providing the same services now call manager supports two type of certificate format you got privately enhance mail or PM this format contains the x.509 certificate encoded in text in either base64 ID and encrypted supported by cisco VCS and Cisco Unified Communication Manager most common format in unified communication and then other type of format you have is called distinguished encoded rules or D er which contains x.509 certificate in a binary form form supported by the call manager but not by any other communication applications if you are going to download it most likely you want to download as a PDF format the difference between the two type is simply the way the certificates are encoded a while the call manager can support either one most other application may not necessary support the DAR so therefore if other uses the products are being used you want to meet you probably want to stick to the pimp PM format all right so let's go and find request a certificate from our call manager side ok so what I'm going to do right now is I'm first I'm going to login to my call manager and I'm going to log in as an opera OS administration so this will be we increase the font size a little bit all right so once I am getting the signing authentication first thing that I'm going to do is request for a certificate all right so now what you have is a column a administration page but on the navigation I'm going to select Cisco IOS administration I'm going to log in as OS which is separately because all the certificates are going to be under OS administration area alright so OS administration let's login and once we login we are going to generate certificate now in call manager there are two type of certificates you can create one for each server which is individual server publisher subscriber and presence I am in presence or you can create something called multi year multi server certificate meaning that one certificate contains all the three servers in your cluster pops up and I am and presence all right so right now I am in my OS administration under security you have certificate management you have certificate monitor review certificate revocation list and other certificate religious configuration so let's go ahead with certificate management this is where you will find all the certificate that you have within your system now right now what you're seeing right now here is nothing you gotta click on fine to see things so let's click on fine and you'll see all the certificate that are currently uploaded to your system now what you will see that the most of these certificates are actually self signed by the call manager now self son meeting meaning that college is acting as a CA so at this stage as you can see they're all self sign except there are few of them which are signed by CA that is internal use alright so let's go ahead what we're gonna do right now now in order to use certificate you need to have a fully qualified domain name now you'll notice here the fully qualified domain name that I'm using is called HQ is air HQ you see em pop dot PR BBC port to calm we're going to regenerate the certificate using the same domain so right now we're gonna click on generate CSR right here now in generate CSR we have to choose the purpose of the certificate you got Tomcat and call manager so we're going to generate for both of them it is important that you actually generate certificate both so we're gonna set Tomcat we're going to select this and this is your parent domain okay and you can add more domain if you want by adding multiple sin now remember we have already downloaded our root certificate and I've already installed it here so right now certificate is generated I'm going to close that I'm going to read general for one for call manager okay so let's go back to Tomcat again now remember we talked about Maltese and versus multi server versus a single server so distributions if you distribution I only have my particular domain or if I say multi server what's gonna do is gonna pull all the servers that you have in your cluster and they're gonna put their name in there see as you can see you got HQ iymp HQ see you see em pop HQ see SEM sup so let's go and regenerate the Tomcat certificate with a multiset so that in that way I can use same certificate for across all the servers instead of managing hundreds of different certificate and files now once the file is generated we are going to have to download it but for that we have to go to different windows so once this pumpkin is done I'm going to go show you the call manager certificate and then we will go to actually greater create our own public certificate from that screen crypt alright so now we're going to generate - call manager and again multi stand because this is what we are trying to achieve so it will pull the server name for all the multi sand I sure let's go generate again we have to wait for the auto-populated to work all right so in multi Sun you see you're only seeing two which is your pop and sub not for the I am in presence so that's because this certificate is for the Jaguar phone everybody to talk to the call manager all right so oops sorry not that's not the father I want to do it so now we're going to click on generate oops my apology okay I'm going to go ahead and generate the file now this file will contain a certificate request which is basically a text file what we're going to do gonna take a count we're going to copy the content of the file and then we're going to submit it to the certificate authority all right so this is done so let's close this so now you notice when you generate a certificate after after that you'll see this little menu option called download GSR which wasn't there before so now if you click on this you should be able to download the two certificate that you have generated or maybe three because I we have downloaded extras so we have the Tomcat and then we have the call manager so I'm going to download the Tomcat first and it's very important than you named them properly because you don't want to mix and map you wanna don't mix them so again I will put into the same folder I'm gonna call this Tomcat r2 Tomcat CER CRT or CSR which are whatever you want to call it okay so that's done and obviously it's gonna download it right to the same folder and then I will select the call manager CSR but to csr okay so I got to downloaded at this moment I am ready to generate certificate from this website called zero ssl.com you want to go and a certificate tools and you can say get free certificate from that particular server click on start and very simple process to be honest with you if you you know you can put your email address so let me see if my email address is gonna works let me test this email first before anything else okay so it's a email address I'm gonna say F con BBC port to comm that's important that you have a proper email and DNS verification because I'm actually showing you live certificate that actually can be used in production so now it's going to ask you to paste your configuration that you could download you can upload paste a config so what I'm going to do is I'm going to copy the Tomcat first okay so paste your CSR right here on the right hand side not on the left hand side so you're going to paste your CSR right here well no actually one one second all right so I'm going to paste that I'm going to accept except the thing and it's gonna ask you for HT a verification it depends on how you want to verify I I'm gonna use DNS verification because this is something that I have full control of my DNS so I can verify that so in the meantime I will just simply select that and then click Next it's going to generate a count key which is gonna be pasted on the left hand side this is your private key so you want to download this let's call it part 2 account key for Tomcat okay so save that file right in your PC and then click Next so at this stage I'm on a verification now this process procedure could be different from provider to provider it's a little bit pain if you are doing it with this company because they want you to verify tons of stuff and basically what they're saying we need to create domain tax record with these values so what you want to do is they're going to copy this and you want to go to your DNS server now I am at my AWS DNS server we use the route 53 and this is my part 2 zone file I don't like I don't want to cover AWS in part of this course and what we need to do is create a new record so if you create a new record it's gonna ask you what type of record we're gonna choose text record and we have to put that key now you don't put the domain name in there is very important they don't put that domain name just up to the domain name and then valve this value you copy this value into this and when you I guess remove the high focus from it it will go in a quotation click on create and then you go back try the second one now you don't want to do did mix make this mistake too many times so make sure that it is done once it's a text record and copy your data value create okay so you can always once a verification is done you can always delete them that's not a problem all right again tax record and the value would be this now make sure there is no space let me close this it is free but then again it is a pain to create them because of this procedure whereas GoDaddy you simply pay for it and that's it all right almost there you could use this certificate for free for pretty much anything it doesn't have to be so make sure the text record it doesn't have to be for call manager could be for your website could be email whatever validation is need now this company only valid in your domain does not valid your company's details okay one last one which is right here so you will make sure there is no dot text and copy the value okay so you know you got the drill so again it's a text value make sure it is in the proper format you click on save just verify it by simply you know put all your types together make sure you got one two three four five field and same thing one two three four five and at that moment you couldn't click next it's gonna try to contact your DNS server so you may want to give it a couple of minutes because sometimes your DNS server takes time to update all the name servers I would probably give about ten to fifteen to twenty minute before you go next but let's just give it a shot all right so verification was successful you notice it up this is quite fast okay unlike all the other DNS provider I find the AWS DNS to be extremely fast all right so this is your search so for certificate so now what you're trying to download is the server certificate so we're going to click on little this download button and we're gonna call this Tomcat certificate okay so first of all the server type all you can say Tomcat dot CER and part two okay and you save the file so now we're done with this we are going to down and create another one and four for the second one so if you want to pause the video or fast-forward it totally up to you so let's go and get started in the second one see you soon copy all pasted right there I'm gonna say always we can f Khan at BBC pod to comm validation except now HTML verification it probably will require you to create a small HTML file put it on your web server to make sure that you actually have access to that web server I don't want to do that right now it's easy I rather go with this option is much even if it's painful it's still better this way I don't want to mess up my website so again we are generating the private key account key whatever they want to call it every vendors has different options so we're gonna first download that key I'm going to call this or to call manager accounting there all right so now I'm ready to go to the next stage which is to verification again I gotta do the same thing talk at this time you will notice information probably the same but let's double check it okay so he said Acme challenge see you see M of M s so do I have that Acme challenge yeah see you HQ see you see M house so we got that we just have to change the value okay so you just have to be very careful on that or if you if I were you I would probably delete it and recreate it if you want if you want to make a mistake so make sure that you are putting into the right now I the only way I can verify that is by looking at the MS and you notice I have MS so I just follow that path okay all right so I will change the value then the next one would be called Acme challenge HQ see you see M pub without the MS okay so this is where all challenge like me see you see em pop no MS right there change the value all right so next one will be the sub and I will change this value which is right here last one which says just challenge let me just challenge okay so you will see that where it is just just challenge right here you'll see slightly different between the two because one had the I am and presents information so therefore it requires request requested that but here you don't need to worry about that because there is no I am and presence so again because I just made a quick verification so you may have to wait 10 to 15 minute for the updates to happen so sometimes do you have a patient it will take some time for those or so let's see if if it does recognize the changes what you may want to do although I don't think that has any relationship to do this but that's for a mental satisfaction type ipconfig /all a sh dns i don't think it's gonna help but let's assume we're gonna what you'll flash your DNS cache okay so let's click on next and see if it's gonna verify it might not because it may cache the values from the old requirement oh no it did verify so it's all good so i like AWS alright i'm now downloading the server so for certificate so i got the root certificate I got the Tomcat certificate and now I got I'm gonna call this what he couldn't call this for to call manager dot CER okay alright so that my certificate let's go back to call manager and call manager I am ready to not upload so what you're going to do you're going to click on upload certificate change so I'm gonna start with by adding the root certificate first because without the root certificate you will not be able to upload the server certificate so I'm going to go ahead and click on tomcat trust first and I'm gonna choose the tomcat trust okay so I am right now in my PDF folder so whereas my talk at part two Tomcat okay okay hold on a second CSR falls here so far so the root certificate is this one mythology the actual root certificate so I'm going to route sort let's encrypt that is the server certificates I'm gonna upload that to the root first I was looking at the wrong file so root certificate from zero SSL okay and you upload this it will tell you whether it is valid or not if there is any problem with the file sometimes when we try to save the file we may make put a space there or make a mistake by and I accidentally editing a file it could be a problem so you notice after you do that you need to restore the tomcat which is fair I'm going to go and to the call manager Trust and upload the same certificate root okay all right so now I am uploading the root certificate as you can see right there it's pretty straightforward nothing fancy about that after we do upload the root certificate we are going to upload the server certificate individual is the first server certificate I'm going to upload is call a tomcat and this time right currently is signed by the self sign and you're gonna click on choose and you will select the Tomcat certificate that we just downloaded most recently okay so that is right there part two Tomcat okay and if for some reason if your so root certificate is not applied correctly it will tell you that this certificate cannot be uploaded because the root certificate doesn't exist so it while it is uploading is actually doing verification to see do I really trust this guy so that is very good thing because sometimes you may have forgot to upload the root so we want to make sure that that is the case and let's go ahead and wait and see what happen so here's an indication that it was all successful for all of them so I am pH Q sub HQ Pub while all of them are working fine I'm going to an outdoor the column manager and after that and we'll reboot the server or restore the tomcat and we'll try which will be this one and this way now while we are uploading this let's go to the SSH make sure we are connected to the server actually I'm going to connect directly through my console so this is my publisher CLI computer console so I think the Tomcat call managers deal the thing is done yeah you know I think is still in progress okay so it's a it's now completed to do certificate look at let's try one more time because it should say server sign maybe I've missed something okay okay so upload it alright so called magic certificate has been done it says restore your Tomcat and restart your TFTP service all right so let's go and do that it would be better if you just reach to the server in this case but for well this ETL service restart Cisco Tomcat so I'll restart done I will log into and then I'll reach to the top dftb dftb restart is required so the other servers can obtain the file but believe for logging in you just need the cisco tomcat now as you can see it's still running so it takes a lot of time for the tomcat to come in and even after it comes back you missed up to wait for a few more minute for the webpage to properly load so let's be patient and I'll show you the final exam final tap alright so I'm going to go and try this out right now but now I still hasn't come up yet so let's wait for another few minutes and we'll see what uncle alright so here you can see the right now that I've logged I'm trying to log in with the HQ see you see em pop dot vbc part to calm and you can see at the corner that there it is a secure site so if you click on that you'll see that certificate is no valid connection is secure and yeah if you click on the certificate it will give you the information about that it is being issued to this particular which is if you look at that certificate right now it shows MS hqc you see em pop - ms ms basically stands for multi server remember that we chose down multi server so it's issued by let's encrypt authority vx-3 and it's been valid for 2020 my mom six gem so this certificate gives you about three month and after three months you have to regenerate that so basically it's free but it's good for only three month which is for testing purposes all right so that's pretty much it for this particular level hopefully you can now go ahead and you get get your valid certificate for your server

Info

Channel: VoiceBootcamp Inc

Views: 3,099

Rating: undefined out of 5

Keywords: ccna ccnp ccie, ccna voice, ucce, icm, callmanager, unified communication, ccie collaboration

Id: b-RjgPYpHog

Channel Id: undefined

Length: 45min 45sec (2745 seconds)

Published: Sat Apr 04 2020