Microsoft documentation points to using the Webserver (default) certificate template for the frontend pool. This WILL NOT WORK when configuring a trusted SIP-trunk to CMS.
This is poorly documented by both Microsoft and Cisco, but the trick is to use a template that contains Client Authentication in addition to Server Authentication as Extended Key Usage (Application Policy in Microsoft CA).
The lack of Client Authentication in the certificate will show in the CMS log as handshake error 336105606.
Just noticed after an upgrade from UCCX 10.6 to 11.6 that IE11-settings can become troublesome.
Login and call-handling actually worked as expected, but it was impossible to load CUIC-based gadgets.
- Document mode must be set to Edge.
- Compatibility mode must be set to Off.
- If Enterprise Mode is running, the URL(s) should be set to apply Desktop profile.
- Also, if running Chrome instead, remember that recent versions require the CN to be included as a SAN as well in the certificate to avoid warnings.
When signing CUCM certificates using a Microsoft CA, not all extensions that are present in the self-signed certificate will be available.
Create the template as a duplicate from Web Server, add Client Authentication and IP security end system (in addition to Server Authentication) as Application Policy and make sure that Digital Signature, Allow key exchange only with key encryption and Allow encryption of user data is selected under under Key Usage Extension.
Issue the certificate using the newly defined template.