For TLS calls you will need a proper certificate trust in each direction calls will flow. If you are supporting inbound and outbound calls, then you will need certificate trusts in both directions.
The setup is different for Premise Edges (BYOC Premise) and Cloud Edges (BYOC Cloud). These instructions are specific to BYOC Premise.
When a secure call is initialized the source (client) will attempt to establish a TLS session with the remote endpoint (server). For each call only the server's certificate will be used, unless you are using mutual TLS (i do not think that is your intention).
For outbound calls out of Genesys Cloud, the Cisco CUBE certificate will be used - you can import the remote certificates into Genesys Cloud with the Certificate Authorities section. Instructions are here:
https://help.mypurecloud.com/articles/certificate-authorities/ The imported certificate will be called "Remote" certiifcates.
For inbound calls into Genesys Cloud, the Genesys Cloud certificate will be used - you will need to import a certificate onto the Cisco CUBE to trust the certificate the Edge will use. You can download the "Managed" certificate from the same Certificate Authorities page.
In both cases, you also need to make sure that the entire certificate chain is obtained by the client. In most cases you will only need to import the top level Root Certificate Authority (CA) certificate. However, that requires that each server transmits the server certificate AND any intermediate certificates during the Server Hello/Certificates portion of the TLS handshake. If either server only transmits the server certificate, you can either update the server to send the intermediate certificate as well - or have the client trust the intermediate certificates as well.
Please let me know if you have any additional questions,
------------------------------
Phil Whitener
Genesys - Employees
------------------------------
Original Message:
Sent: 09-24-2020 02:53
From: Vaun McCarthy
Subject: Cisco CUBE and TLS cert?
HI guys
Can anybody help clear up some confusion we have between our Genesys resource and Cisco guys?
We are deploying on-premise Edges to on-premise Cisco CUBEs. The trunks between those need to be TLS. The confusion is over what needs to be done for the cert side of this.
Genesys are telling me we can either export the Genesys cert for the Cisco guys to import into their CUBEs. But the Cisco guys are telling me there should be a certificate imported on both sides, as well as talking about getting a signed CA cert onto the CUBES and then import the Genesys provided cert. The question is also whether a self-signed CUBE cert will be ok.
There must be some of us here that have some Cisco/CUBE knowledge and have gone through this before, so can someone help me clear this up - being the man in the middle at the moment?
Thanks
#ArchitectureandDesign
#Telephony
------------------------------
Vaun McCarthy
NTT New Zealand Limited
------------------------------