Back to blog

Jabber and Public CA-signed Certificates (Part 1 of 3)

Dishko Hristov, UC Collaboration Architect
November 14, 2017

Cisco Jabber gives you and your team the freedom to be productive from anywhere, on any device. Jabber enables you to access presence, instant messaging (IM), voice, video, voice messaging, desktop sharing, and conferencing Instantly.

But Jabber can also be challenging. The following article is the first of a 3 part series that will take you through the certification process for Jabber.

Why CA-Signed Certificates?

Cisco Jabber requires the use of certificate validation in order to establish secure connections with servers. Since Jabber is installed on multiple platforms, including Android and iPhone, CA-Signed certificates are required on all Cisco UC servers.

Why not Wildcard Certificates?

Some companies may want to supply its own private key to the signing CA independently from CUCM or may request a wildcard cert. However, CUCM does not support the upload of a cert that the server itself has not generated the private key for (or that the hostname does not match in the case of *

RHEL already supplies the means to do such import, but Cisco has not exposed those in the APIs or the Unified CM web pages. There were requests for Cisco to devise a way to provide the ability for customers to generate wildcard certificates. However, Cisco did not approve such enhancements. CUCM 10.5 introduces multi-server certificate feature, so one certificate can be used for the whole UCM cluster. (for more information please read Bug # CSCta14114 )

CA-Signed Certificates requirement for Jabber

CIsco Unified IM&Presence: HTTP (Tomcat - part of CUCM Multi-SAN), CUP-XMPP Cisco Unified Communications Manager: HTTP (Tomcat) Cisco Unity Connection: HTTP (Tomcat) Expressway Core and Edge HTTP (Tomcat)*

*Expressway certificates are requirements for Jabber MRA (Mobile and Remote feature).

Verify if a Certificate is Self-Signed or CA-Signed

The first step is to verify the type of certificates that are running on your server, in case you are not certain.

  •  Navigate to Cisco Unified OS Administration.
  •  Choose Security > Certificate Management.
  •  Look for tomcat certificates or in case of IM&P server look for cup-xmpp certificates.
  •  Verify the “Type” (must be CA-signed and not Self-signed), as well as the “Issued By” have to be the name of CA trusted.

In our next post (Part 2 of 3), we will cover the details on how to CA-sign new certificates or renew your existing CA-signed certificates.

Validating your CUCM Server list and UC services

If after signing all required certificates and uploading them to the UC servers, you still receive a Certificate Warning during the initial Jabber start-up, you need to verify few configuration parameters.

First, makes sure that in the CUCM CM Administration – System – Server list, all your server nodes are defined with their Fully Qualified Domain Name (FQDN) and not with their IP address nor their Hostname. This will be one of the reasons for Cisco Jabber to trigger the security warning. Make sure if you are changing this field from IP to FQDN, to schedule a maintenance window prior to the change and verify if all your Phones have DNS reference assigned. Otherwise they will not be able to register back to CUCM.

Second place to verify, if you are using FQDN instead of IP or Hostnames, is the target for all UC services (User management – User settings – UC Service).

If you are interested in learning more about Cisco Jabber or require assistance within your organization please contact our Professional Services Team.

Please be sure to check out: 

Part 2 “Jabber and Public CA-signed Certificates”, on how to renew your CA-signed certificates for Cisco Unified Communication Manager, Cisco Unified Communication IM and Presence and Cisco Unity Connection

Part 3 “Jabber and Public CA-signed Certificates” on how to renew your CA-signed certificates for Cisco Expressway

Ready to take your unified communications from headache to hassle-free?

No throwing darts at proposals or contracts. No battling through the back-end. No nonsense, no run-around.