Multi san callmanger certificate private key distribution

RITT · ‎04-18-2024

Hello,

Apologies for how late this question is! I have read that it is possible to generate a multi san certificate for the call manager service. Each subscriber in the cluster then uses the same certificate for call manager service.

If I generate a CSR on one of the servers in the cluster. Have that signed by a CA. Install signed cert back on server. My understanding is that signed multi san will automatically be copied to other servers in the cluster.

My question is how is the associated private key distributed to each server? This would need to be secure, I can't find any mention of this in the documentation. Many thanks for any responses.

b.winter · ‎04-18-2024

The Callmanagers distribute the key to each other. There is not option or process to interfere with it.

RITT · ‎04-18-2024

@b.winter thanks for your reply. I imagine the private key distribution is done securely. Is the new call manager certificate used to secure the connection? If not which vet is used for private key distribution?

b.winter · ‎04-18-2024

I hope, the key is distributed securely, but honestly I don't exactly know how this is done technically.
But I don't think, the new cert is used for that. The key is probably already transferred, before you upload the new cert.

My guess: The nodes were already authenticated during installation, when you add new nodes to the cluster, and then using such secure "channels" to exchange such sensitive information.

But if you wanna know exactly, I think you need to ask TAC.

Roger Kallberg · ‎04-18-2024

To be clear just as for @b.winter I don't know how this is done, but if I would venture on a guess I would think that the TVS, Trust Verification Service, could have a hand in this. But as said just an educated guess.

RITT · ‎04-18-2024

@b.winter thanks for this. I will ask TAC. If they are happy I will share on here. Regards.

Nithin Eluvathingal · ‎04-18-2024

If you generate the CSR on one server, you can download the same CSR from another server. Similarly, the private key will also be accessible on the other servers.

Once you upload the multi-SAN certificates, they will be propagated to other nodes in the cluster. This is because all these servers belong to the same cluster.

Unlike others, I’m not familiar with the underlying process that CUCM uses for private key transfer. What I do know is that when you take a backup, it also copies the private key, which is encrypted. I assume the transfer will be secured.

Since all the servers are part of the same cluster, you don’t need to concern yourself with the underlying process of transferring the private key. Perhaps Cisco TAC or BU can provide a more precise answer.

RITT · ‎04-18-2024

@Nithin Eluvathingal

thank you for your reply. Not surprised that the private key is itself encrypted. Now I am wondering which key is used to achieve this. It has to be available to each server in the cluster. Cisco manufacturing perhaps? Do you know of any CLI commands that show the key encryption key details? As you suggest TAC or BU seems to be the way to go for these sorts of questions. Really appreciate everyone taking the time to comment.

Roger Kallberg · ‎04-18-2024

There is no CLI command to see any details about the private key. You need to have root access to the Linux OS for that and that is limited to TAC to get that, at least officially and what is within what is supported by Cisco.

b.winter · ‎04-18-2024

Out of curiosity: Why are you asking those questions?
Might sounds stupid, but I don't think this is a "valuable" information. I would also say, it's a useless information. It's no information you need have, to manage the system. It works as it works.
The OS is so stripped down, so you don't have access to such sensitive data anyway. So, you won't have access to the keys anyways.
We (CUCM admins) either have access to all those information through Web or CLI, and if not, there is a reason, why we don't have.