Certificate

The Certificate panel allows you to select which method to specify the X.509 certificate necessary for Meeting Server, and provides a guided process to create new certificate requests for those looking to create new certificates. The Installation Assistant supports using both certificates signed by a Certificate Authority and the use of self-signed certificates. The certificates panel will automatically adapt the options shown based on your selection of using CA signed certificates or self-signed certificates.

Note: Self-signed certificates are not supported for all functionality, they are a security risk and are not recommended.

The recommended path is to use a X.509 certificate signed by a Certificate Authority trusted by your organization. The Certificate Authority can be an internal or public certificate authority. For more details on how Meeting Server uses certificates and their requirements, please refer to the Cisco Meeting Server, Certificate Guidelines Single Combined Server Deployments Guide.

CA Signed Certificate

When the CA Signed Certificate method is selected, there are two available paths:

  • New Certificate via CSR – The Installation Assistant will guide you through creating a certificate signing request to supply to your Certificate Authority, and they in turn will supply you with a signed certificate.
  • Supply an existing certificate and key – Upload an existing certificate and key pair you have prepared external to Installation Assistant.

New certificate via CSR

This option guides you through creating a new certificate by creating a Certificate Signing Request (CSR) to provide to your Certificate Authority.

Completing this process requires:

  1. Providing details for the certificate in the Installation Assistant and downloading the resulting CSR file.
  2. Supplying the CSR to your Certificate Authority and they will return a signed certificate. You will also need the chain of public certificates that represents the Certificate Authority, which they will provide.
  3. The resulting files are then uploaded to the Installation Assistant which will handle configuring Meeting Server with the supplied files.

Note: You are free to close the Installation Assistant tool after downloading your CSR. Once you have obtained the signed certificate from the Certificate Authority, navigate to Partial Configured Meeting Server tab in Servers page in and click Resume to return to the Certificate panel to complete the certificate upload process (see step 4 below).

Steps for creating a new certificate request (CSR):

  1. In the Certificate Panel, select Certificate Type as CA Signed.
  2. In the Certificate Upload Options, select New Certificate via CSR.
  3. Complete the fields with the details to use for your Meeting Server. The fields are described below. When complete, click the Next button to return to the certificate panel. The Next button is only enabled after you have entered all the required details.

    4. Note: If there is an existing generated certificate, and you click Regenerate CSR then the existing file will be over written with the new details, as Installation Assistant does not allow multiple CSR files to be generated.

    Table 13: Fields required for a Certificate Signing Request

    Field Name

    Description

    Values

    FQDN for Meeting Server

    It is the CN value for your certificate and must be defined in the DNS server.

    Enter the FQDN of the server.

    SIP domain for Meeting Server

    It is recommended to use a sub-domain.

    Enter the SIP domain of the server to align with the routing rules.

  4. The completed CSR will be shown in the Certificate Panel. Click Download CSR to save the resulting CSR to a file on your local drive.
  5. Give the CSR to your Certificate Authority to be signed. They will return a signed certificate file. You will also need the certificate chain bundle for that Certificate Authority.
  6. Once you have your signed certificate and certificate chain files, return to the Certificate Panel if necessary and select Upload Files to upload the Certificate/ Bundle. Two fields are shown to specify the certificate and CA certificate chain. Use the Select File link to locate the specific file on your local computer. The certificate files must have one of the following extensions (CER,CRT,PEM,DER) and must be encoded as PEM or DER.
  7. Once both files are specified, click Next button and the files will be sent to the Installation Assistant and validated.
  8. If successful, the Certificate panel will be marked as complete in the wizard and you will be navigated to the Network panel.

Error Scenarios

An error message is displayed and the Next button is disabled in case of the following scenarios:

  • If the upload fails due to server/ technical issue.

    Solution: You must re-upload the certificate files.
  • If the given certificate is incorrect.

    Solution: You have to select and upload the correct certificate and CA certificate chain.
  • If the certificate fails to upload.

    Solution: Re-upload the certificate with the correct FQDN/SIP domain or correct key usage.
  • If the certificate chain fails to upload.
    Solution: Re-upload the certificate chain with the correct FQDN/SIP domain or correct key usage.

Use Existing Certificate and Key

Installation Assistant provides you with an option to utilize an existing private key and signed certificate for the Meeting Server, rather than generate a CSR via the tool. This is done by using the option Supply an existing certificate and key.

You are required to provide the certificate, private key, and CA certificate chain. The certificate files must have one of the following extensions (CER,CRT,PEM,DER) and must be encoded as PEM or DER.

Steps for using an existing certificate:

  1. In the Certificate Panel, select Certificate Type as CA Signed.
  2. In the Certificate Upload Options, select Supply an existing certificate and key
  3. Five fields are shown for specifying the FQDN for Meeting Server, SIP domain for Meeting Server, Private key, CA certificate chain, and Certificate. Use the Select File link to locate the specific file on your local computer. The certificate files must have one of the following extensions (CER,CRT,PEM,DER) and must be encoded as PEM or DER.
  4. Once all five files are specified, the Next button is enabled. Click Next and the files will be sent to the Installation Assistant and validated.

If successful, the Certificate panel will be marked as complete in the wizard and you will be navigated to the Network panel.

Error Scenarios

An error message is displayed and the Next button is disabled in case of the following scenarios:

  • If the upload fails due to server/ technical issue
    Solution: You must re-upload the certificate files.
  • If the given certificate is incorrect, the Upload button is disabled.
    Solution: You have to select and upload the correct certificate and CA certificate chain.
  • If the provided FQDN is incorrect.
    Solution: You must enter a valid FQDN.
  • If the provided SIP domain is incorrect.
    Solution: You must enter a valid SIP domain.

Self Signed Certificate

Self signed certificates are certificates that are signed by the local entity. There is no governing authority validating the certificate. Self-signed certificates are valid, but not recommended due to lack of security. For more information on how Meeting Server uses certificates and their requirements, please refer to the Cisco Meeting Server Certificate Guidelines.

Note: Self signed certificate details are not stored by the tool, hence it is recommended that you complete the configuration in one go.

Note: If you are using self-signed certificates to configure the Meeting Server, ensure that the Meeting Server time is the current time. If the Meeting Server time is not in sync with the actual time, then an error is displayed. You must set the time correctly by using the date MMP command. The default system time is in UTC.

Steps for using a self-signed certificate:

  1. In the Certificate panel, select Self signed.
  2. Enter the FQDN for Meeting Server.
  3. Enter the SIP domain for Meeting Server to align with the routing rules.
  4. The Next button is only enabled after you have entered all the required details. Click Next and the files will be sent to the Installation Assistant and validated.

  5. If successful, the Certificate panel will be marked as complete in the wizard and you will be navigated to the Network panel.

Error Scenarios

An error message is displayed and the Next button is disabled in case of the following scenarios:

  • If the provided FQDN is incorrect.
    Solution: You must enter a valid FQDN.

  • If the provided SIP domain is incorrect.
    Solution: You must enter a valid SIP domain.