Refer to the exhibit. An administrator configures a secure SIP trunk on Cisco UCM. Which value is needed in the Secure Certificate Subject or Subject Alternate Name field to accomplish this task?
A.
the common name of the remote device certificates
B.
the fully qualified domain name of all Cisco UCM nodes that run the CallManager service
C.
the common name of the Cisco UCM CallManager certificate
D.
the fully qualified domain name of the remote device that is configured on the SIP trunk
I think this is A. Yes, CN is often the same as FQDN, but not always. A is the better answer. This field refers to the certificate of the remote end, not the local CUCM, so B & C are incorrect.
Correct answer is A.
It is useless to specify the FQDN if it is not explicitly stated in the CN of the peer's certificate. If you put the FQDN, the CUCM will check if the FQDN is in the peer's certificate. If the FQDN is not in the CN, the CUCM will reject transactions with the peer.
You need to put there what is specified in the CN of the peer's certificate, be it the FQDN, the domain, the hostname, the IP address, etc. Common Name (CN) is not synonym of FQDN.
For example, if you do a TLS connection with an Expressway, the subject name or an subject alternate name provided, by the Expressway in its certificate. For Expressway clusters, ensure that this list includes all of the names contained within all of the peers' certificates. To specify multiple X.509 names, separate each name by a space, comma, semicolon or colon.
So , correct answer is A.
Reference: "Preferred Architecture for Cisco Collaboration 12.x Enterprise On-Premises Deployments", Chapter 7: Security, in the section "SIP Trunk Encryption", yo can read what is exactly X.509 Subject Name, that is "The common name (CN) of the remote party." and some examples.
As per Copilot:
For configuring a secure SIP trunk on Cisco Unified Communications Manager (UCM), the correct value needed in the Secure Certificate Subject or Subject Alternate Name field is:
D. the fully qualified domain name of the remote device that is configured on the SIP trunk.
This ensures that the certificate matches the domain name of the remote device, which is essential for establishing a secure TLS connection.
In the reference you provide, you are talking about a CUC certificate, which does match the FQDN, but the question does not tell you what is on the other side, whether it is a UNITY, an IM&T, a CUBE, a Gateway, an Expressway-C, or a cluster, or an Oracle SBC, etc. etc. etc. FQDN is not the same as CN.
If the question said that the remote device is a CUC, D would be correct. But assuming that it is the FQDN of a remote device that we do not know, the first thing we have to see is the CN and in this case it is precisely the one that is not used, therefore it is A.
It is recommended that if you are going to cite a source, it is valued. But please, interpret and read the source correctly before advertising it.
If the FQDN that is configured on the SIP trunk is not present in the certificate, the TLS connection fails.
You gotta use an FQDN that exists on the remote device's certificate, that's how certificate validation works.
from https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1_SU3/cucm_b_security-guide-1151su3/cucm_b_security-guide-1151su3_chapter_011000.html, you can read explanation of "Secure Certificate Subject or Subject Alternate Name" field of SIP Trunk Security Profile Settings
It looks answer is C
It's always the CN of the remote certificate. CN can bei the FQDN or Hostname or a MAC in case of Analogue Gateways. e.g. The CN is configured at the trustpoint configuration (Cisco IOS).
Have a Look at this Link (https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200180-Configure-SIP-TLS-Trunk-on-the-Communica.html ). Section: Step 8. Create SIP Trunk Security Profiles. Here you can See that it is the CN of the remote Host/devices. At the screenshots below you can See that a CN is not always a FQDN. In this example it is CUCM10.
If you have a Unified Communications Manager cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts, which results in multiple Secure Certificate Subject or Subject Alternate Name for the trunks
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_011000.html
I couldn't find specific info on the cisco site. As per other forums - Option B - the fully qualified domain name of all Cisco UCM nodes that run the CallManager service is the right answer
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.350-801 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Slushed
Highly Voted 3 years agoCiscoSailor
Highly Voted 1 year, 10 months ago[Removed]
1 year, 9 months agoG0y0
Most Recent 2 months, 1 week agoG0y0
2 months, 1 week agoG0y0
2 months, 1 week agoDDPRE
2 months, 3 weeks agodecdca7
5 months, 3 weeks agocyberknock
7 months, 4 weeks agocyberknock
7 months, 4 weeks agoJoeC716
12 months agoG0y0
2 months, 1 week agoTheBabu
1 year agoDaved90
1 year, 1 month agoKabimas66
1 year, 1 month agoSergeantDuty
1 year, 10 months ago[Removed]
1 year, 9 months agoSergeantDuty
1 year, 9 months agoTeeKay25
1 year, 12 months ago[Removed]
1 year, 9 months agoazizkasmir
2 years, 4 months agoDaved90
1 year, 1 month agoKZG
2 years, 8 months agoPiji
2 years, 8 months agoAJBELL14
2 years, 9 months ago