Uploading Certificate for SIP Trunk Security Profile

Configure SIP trunk for recording encrypted calls

From Cisco Unified Communications Manager 8.0 the RTP forking-based recording interface enables the recording of encrypted calls. In order to enable this option, various configuration tasks have to be accomplished. Please follow the instructions below to properly configure the Cisco Unified Communications Manager and the Verba Recording System.

Prerequisite

A certificate is required for the secure SIP connection between the Verba servers and the Call Managers. The certificate must have an exportable private key, and the signature / hash algorithm of the certificate can’t be higher than SHA256 (SHA512 isn’t supported by the Call Manager). It doesn’t have to be a publicly signed certificate, it can be generated by the local domain CA. No specific requirements for the certificate subject or SAN.

The certificate used for the secure SIP connection has to be added in the certificate store of the Verba Recording Server also, where the secure SIP connection will terminate. When importing, the private key has to be left exportable.

Upload the Recording Server certificate to the CUCM

Step 1 - Login to the Cisco Unified OS Administration interface.

Step 2 - Select Security / Certificate Management menu.

Step 3 - Click on the Upload Certificate button.

Step 4 - Select the CallManager-trust certificate.

Step 5 - Enter an optional description.

Step 6 - Click Upload File button, and select the previously exported certificate.

Step 7 - After successful upload, the new certificate should appear on the list and it has a name containing the hostname of the Verba Recording Server.

If you have multiple nodes (publisher+subscribers) in your cluster you must install the recorder's certificate on each node.