How to sign certificates with a Microsoft CA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to this video my name is Jaime Valencia I'm with the Cisco PDA technical advisors and in this video I'm going to show you how to sign certificates with that internal microsoft CA I hope you enjoy it in this video I'm going to show you how to sign the certificate if you have an internal CA in this case I have my CA on a Microsoft Windows 2012 server and the first thing that we need to do is to go to our C UCM admin page and we need to go to the always administration page once we're in we go to security certificate management and we click find as you can see the certificates that are self signed by the system are going to help this in the description in this case I'm going to use the Tomcat certificate for this scenario I'm going to show you how to do a couple of certificates and then you can do the same with the other certificates if you want we're going to click on the Tomcat certificate that is going to trigger a separate window and we need to click on download dot PE a.m. file and we're going to download this as a PE m file we click on save and we have our file here what we need to do is to change this dot p.m. into a dot CER file I'm going to hit f2 on my keyboard and I'm going to change that de M into dot CER you're going to get a warning that it might become unusable you just need to click on yes and once you do that you can open this file why do we need to do this well because we need to verify some settings that the certificate from CU CM has and you need to emulate those certificates in the new one we go into details and the things that we need to notice are the signature algorithm the signature cash algorithm you need to know the length of the public key in this case it's 2048 bits you need to know the key usage and the enhanced key usage in here we can see that the Tomcat certificate has server authentication and client authentication and for the key usage we have the digital signature can see ferment date and sacrament and certificate sagnik we can close this window and this'll window once you have downloaded the certificate and you have noticed the key usage the enhance key usage then you need to generate a certificate signing request you need to click on generate CSR this will trigger a new window you need to choose the right certificate from this drop-down menu in this case we are going to be doing the Tomcat certificate in the distribution drop-down you can decide if it's going to be just for this server or if it's going to be a multi server you need to make sure that the common name is right one the domain the key length and the hash algorithm and we click on generate as you can see we get a success message and we close this window the page is going to refresh and we're going to have a new option which is going to be download csr we click on it and we get this new window in here you can see the CSR that have been created in the system in this case the only one that we can see is Tomcat because that is the only one that I have created which use that one and we click on download CSR I'm going to download it in the same folder where they have the dot CR and then we're going to use that file in my CA I have downloaded all the certificates to my computer and I have changed the dot PM into a dot CR and the rusyn where it told you that it is really important for you to verify the key usage and the enhance key usage is because it can change from gwon certificate to the other as you can see in my screen I already have two certificates the one on the left is the Tomcat certificate and the one on the right is the IPSec certificate as you can see the IPSec certificate has another quality that the Tomcat certificate does not have which is an IP security and system and this is the reason why it is really important to verify what are the settings for the certificates that CCM has because if you do not use the same settings it will fail once you have downloaded certificates and generate the CSR senior server our next step is go to our CI server in my lab I have running over a Windows 2012 server in order to get to that window we need to go from our server manager we click on tools and then we click on certification Authority the first thing that you will see is the name for the CA that you define your installation in this case - PDI MX - CA and the very first thing that we need to is to adjust our certificate templates we right-click on certificate templates and click on manage none of the default templates will have the settings that we need so we need to use the web server template as a base we right-click on it and click on duplicate template what we need to change is under the general tab in first place we need to give this a new name we need to address the validity period if necessary in my lab I usually set it to ten years and then we need to click on the extension step and here the very first thing we need to do is to adjust the application policies because we only have server authentication and we need client authentication as well we'll click and edit then we'll click on add and we need to choose client authentication then we'll click on ok make sure that you have the two requirements here and then we click on OK again then we need to go to the key usage we click Edit we are going to choose the signature is proof of origin non-repudiation and if you remember the key usage had key and Superman and data encipherment so we also need to click on allow encryption of user data then we need to go to cryptography and we need to make sure that the minimum key size is at the very least the same value that our certificates head in this case it's the same values so we do not need to change it and we click OK to add the new template as you can see it's at the bottom of our certificate templates console but we cannot use it there is another step that we need to do in order to enable that we go back to our CA we go to certificate templates will right-click which is near certificate template tuition and we need to look for our training template once we select it we click on ok and it's going to be added the reason why we do this is because we are going to use a web interface to sign the certificates and only the templates that are listed here are going to be available before a sign and upload the new certificates I want to show you the certificate error that it's shown in my browser this as you can see is the fqdn of the server that we are using and I'm going to click on CCM as you can see we are getting this error on HTTP the reason for that is because I do not have the root certificate that was used to scientist certificate and that's what we are going to fix we are going to our certificate authority the way that you access it is via a browser and this is the URL that you need to use in order to sign our certificate we are going to click on request a certificate then we are going to click on that ban certificate request we are going to choose the certificate template that we created which is the training template and once you open the CSR on a program like notepad plus plus this is what you are going to see in this case this is the callmanager CSR and this is the information of the Tomcat CSR what you need to do is that you need to choose all this information and we are going to copy it into the web page once we have that we click on submit that is going to sign our certificate we need to choose base64-encoded and we click on download certificate we're going to save it I usually change the name for the certificate that we are signing in this case Tomcat and we click on save right now we have this new certificate once we open the certificate we will see that it was issued to see UCM test dot PDA MX dot cisco.com the issuer was PDI MX - CA which is my lab certificate authority if we go to the details we can see that the key usage has the right information non reputation can see ferment and date and see ferment we can look for the enhance key usage which is going to have server authentication and Clyde authentication the public key is RSA 2048 bits the subject is the fqdn of our server and once again this sure is my lab CA and the certification pad is ok because I have rehab the root certificate installed in my PC and we could click on ok and this is the file that we are going to upload to our CCM server in order to get rid of this warning once we have sign our certificate we also need the root certificate from a server in order to do that we go to our C a web page and we are going to click on download a CA certificate certificate chain or crl we click on base64 and we click on download CA certificate we click on save once you have the root certificate and Tomcat certificate it's time to go back to our OS admin page we need to log in and we go to security certificate management will click on find to make sure that we have the certificates here as you can see we have the self signed certificate for tomcat and the CSR now we need to click on upload certificate certificate chain we're going to choose Tonka trust we are going to choose the root certificate for our domain which is this one ppim x CR we're going to click on open and we click upload as you can see we get a success message and also a warning that we need to restart the Cisco Tomcat service be a CLI we're going to do that after we upload the certificate for CSUN as you can see right now we have the root certificate for my domain in the termcat cross repository we click on upload certificate certificate chain one more time this then we are going to upload the new Tomcat certificate we choose it and we click on open and hablo we get the success message and the next step is to restart in the Cisco Tomcat service be a CLI once the page refreshes you would see that you have the near certificate in here as you can see this is our new certificate this is the common name and this is the signing entity let's go ahead and restart the template service as you can see I have a PT session open to our new server and we need to issue the command utils service restart Cisco template let's do that right now the Tomcat service has been restarted but it will take a few minutes before we can log in and look at the change it has been around ten minutes since I've restarted the Cisco Tomcat service we can try to log in once again I have restarted my web browser in order to do this as you can see right now we are not getting the error message we are getting a full secure connection with HTTPS this is the information that you should get if you help down the procedure okay if you click on certificate information the certificate will pop up as you can see this is a certificate that we uploaded to our server and once again the certification pad is showing okay because I already have the root certificate installed in my machine and with this we conclude the video the same procedure can be done for all the other certificates there are just a few things that you need to keep in mind you always need to verify the key usage and the enhance key usage to make sure that you are getting the same requirements as CEO CM has in their building certificates this is also applicable for many other products like a human presence unity connection the BCS is typical doctor and many others in which you can generate a CSR thank you very much for watching this video I hope it was useful for you
Info
Channel: Cisco Community
Views: 48,588
Rating: undefined out of 5
Keywords: Self-signed Certificate
Id: FIqh3rSIUmA
Channel Id: undefined
Length: 14min 0sec (840 seconds)
Published: Sun Dec 06 2015
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.