Certificate Installation for Using Cisco Unified Border Element (CUBE) for Direct Routing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this video will guide you through the process of installing certificates on your ios xe router specifically the certificate install process required to establish a tls connection from your cisco unified border element or cube router to the microsoft phone system also known as microsoft teams for a direct routine configuration however the method used in this video apply to most use cases where a user wants to install and configure certificates in this guide i will be using a cisco isr 4321 running ios xe172 i'll show you two methods of installing the certificate on your router the first method we generate the key pair on the router and then generate the csr on the router the second method we install a imported key pair certificate bundle the first step is to generate the rsa key so this is the command we need crypto key generate rsa general keys and we give it a label it's a label i'm calling it cube0 hyphen key and then modulus 2048 says 2048 bit key and then exportable exportable is really useful because if you're paying for certificates you don't want to have to generate a new key the next step is to configure the trust points the first trust point is the host trust point so for the host certificate the name of the trust point is completely up to the user enrolment terminal this means we'll be pasting a basics for pem formatted certificate in at a minimum you'll want the fully qualified domain name in this common name subject field and the final command rsa key pair cube zero hyphen key this is the key we just generated so this key will be used to generate the certificate signing request wildcard certificates are supported these can be defined in the common name or in a sound record the next step is to install our trust points for our ca certificates the essential commands here are enrollment methods enrolment terminal and revocation check our certificate provider actually has four certificates in the chain so from root to host certificate there's four certificates so we actually have to add two cas to our router this is not always the case sometimes you just have to add one ca depends on your certificate provider the baltimore trust point you can see here this is so we can verify the certificate from microsoft so we need a trust point for that now you can have as many trust points for as many cas on your routers required they will only be utilized if they're needed the next step is to generate the certificate signing request for the host certificate now to do this do we do crypto pki enroll and then the trust point name of the host trust point we will use the details that we put in earlier for the subject name etcetera and then we can display the certificate signing request in the terminal so what we need to do here is copy this out and keep it safe so this is a basics for pem format certificate signing request so we can just copy that out we will then need to send that off to our provider our certificate provider so they can generate an ssl certificate for us the next step is to add the certificates for our ca trust points so what we need to do is paste these in now these ca certificates will be provided by the certificate authorities this one is the baltimore cert so this is freely available online so what we do is just copy that out again basics for pem format so we can paste that in and as you can see that's successful and then we do crypto pki authenticate for our other trust points so here we paste in the certificates that were provided to us when we retrieved our ssl certificate from our provider so they should send you the all the certificates required in the chain and we need to paste those into our trust points so this one is the root uh certificate this is the root ca and then we do the same thing for our other certificate authority this one this certificate sits just above the root ca so it's an intermediate set and as i mentioned earlier we have two intermediate sets in our chain now this next step we do the crypto pki authenticate command um but not for our ca that's all complete we do that for our host certificate so what we need here is the intermediate certificate that sits just below the host certificate this certificate is the one that verifies our host certificate so crypto pki authenticate and then our host trust point name so cube zero dot q python tme dot com and then we paste in the intermediate certificate now we can do crypto pki import and then the trust point name um so cube0.cue python2me.com and then certificate now this this certificate we're pasted in here is the top of the chain this is the host certificate and if this is successful that means that the intermediate cert we just pasted in before has been able to been able to authenticate this certificate if you get anything other than a positive message after you've pasted this in then you've got something missing in your chain so you haven't got the required certificates installed on the router as you can see this was all successful so now i'd like to show you a few commands that uh allow you to verify that your keys and certificates are installed so show crypto key my pub and then ours is an rsa key and then our key name will uh show you the key is actually configured and then we do show crypto pki trust points to see all of our trust points we have our ca trust points and we have our host trust point and with the show run command we can see the trust points and certificates in the running config so this is uh useful to see if they actually are configured and as you can see for this host trust point there was two portions to it that means we've got the intermediate and the host certificate installed for that trust point and the final command shows sip python ua connections tcp tls detail now this is specific to uh cube this will uh show us if our tls connections are up our tls sip trunks so as you can see we have three established tls connections which means our certificates are good microsoft is accepting these connections so moving on to the second method of installing key pairs and certificates this method we import a pkcs12 format bundle so that includes the key pair includes the host certificate includes the intermediate certificates the reason you may want to do this is it may be a backup and restore from another cisco ios xe router or you may have generated this bundle in openssl on on your computer we're going to simulate a backup and restore of this trust point so the first command we're going to do is crypto pki export the trustpoint name pkcs12 and then the location where we want to export the pkcs12 file and then a password to protect it our host and intermediate certificate that we want to import is already associated to an existing trust point which we created earlier i'm going to put a no in front of that trust point so no crypto pki trust point trustpoint name that will delete that uh trust point and it will also remove any certificates uh associated to it so it will remove the intermediate and the host certificate it will also disassociate the key from that trust point now we need to recreate that trust point um the enrollment pkcs12 method is actually there by default so you don't need to enter that and this is obviously different from an enrollment terminal because we can't paste this certificate bundle in so now that's created we run the import command crypto pki import and then the trustpoint name pkcs12 and then the location of that pkcs12 file and then the password we used to protect that file and as you can see that import was successful now we just need to verify that certificate key pair bundle that we imported to our trust point works we can use any of the previously mentioned show commands the one i'm using here is show sip hyphen ua connections tcp tls detail and as you can see the tls connections are up for more documentation and guides on this topic please go to cisco.com
Info
Channel: Cisco
Views: 3,454
Rating: undefined out of 5
Keywords: Collaboration, CUBE, Cisco ISR, Microsoft Phone System
Id: IVH5PdPsQyw
Channel Id: undefined
Length: 11min 33sec (693 seconds)
Published: Wed Jul 22 2020
Related Videos
CCIE Collaboration :: Basic CUBE Setup
IPexpertInc
32K
The Next Big Thing In Software Architecture
Continuous Delivery
5.1K
Cisco Nexus Install/uninstall external CA Signed PKI Certificate in trustpoint| create rsakeypair
NetworkEvolution
1.6K
Getting Started with Cisco's CSR 1000v Router
Kevin Wallace Training, LLC
33K
CCIE Topic: 1.2d Policy-Based Routing
Charles Judd
2.4K
Create a Auto Attendant in Microsoft Teams with a Direct Routing Phone Number
Erwin Bierens
4.6K
Firepower Management Center - FMC 101
Cisco
104K
How to Install an ASA VPN (SSL) Certificate: Cisco ASA Training 101
soundtraining.net
146K
Cisco Catalyst 3560 and 3750 QoS Simplified... Seriously!
Kevin Wallace Training, LLC
139K
Microsoft Teams Phone Systems: 5 Deployment Options in 2020
AeroCom Inc
2.2K
Cisco SDA - Building the SDA Fabric using Discovery and LAN Automation
Terry Vinson CCIEx2
1.3K
Python and Linux on Cisco IOS?
David Bombal
20K
How VRFs Work (VRF Lite) | VRFs Part 1
Network Direction
125K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.