Work around for CUCM SSL cert warning message

Unanswered Question

I've got a customer site running 6.1(1), do not want to upgrade at this point to 6.1(2) to change hostname; and their DNS naming convention for CUCM is different than the host name. Therefore, when a ccmuser hits the main login page, they get the classic cert warning message that host name (IP address) does not match name in cert:

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.

Continue to this website (not recommended).

More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.

When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.

Can anyone offer a work-around given my parameters (that I don't want to upgrade to change hostname), such as changing the name in the certificate only and re-creating a new cert?

Any suggestions are appreciated.

THANKS!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
htluo Sat, 04/04/2009 - 11:02

That's the way how SSL works. The address in the web browser has to match the common name in the certificate.

To work around that, you may generate a certificate with alternative name with "set web-security" command along with "alternatehostname" argument.

Unfortunately, this option is only available on newer version of CUCM.

In short, you have to upgrade anyway. Or you can just ignore the security warning on the web browser.

Thanks!

Michael

http://htluo.blogspot.com

When doing a set web-security for the alternatehostname option, you will be able to generate a CSR with a second DNS entry for your alternate name. The problem then becomes finding a vendor which supports giving out SAN Certificates. I think Verisign will but they are expensive. Thawte doesn't give out SAN certificates. Did you ever get this resolved?

router.mou Thu, 05/28/2009 - 01:45

Hi Michael:

We have the similar issue. the only difference are when we tried to get the cucm cert validate by 3rd party, it do not work.

Can you please provide a detailed steps to do the 3rd party validation for the tomcat ssl cert?

We have done the procedure below:

1. change the host name & domain name

2. generate CSR

3. apply a SSL123 standard cert with a CA

4. upload the CA's root cert & the SSL123 cert.

5. reboot the server

however, we still see the alerting message, "cert not validate by trusted CA" etc...

Thanks

Mou Wei

htluo Thu, 05/28/2009 - 04:57

1) You need to upload CA certs to CUCM as "Tomcat-trust". If there are more than one CA in the cert chain (such as parent, grandparent, etc.), you need to upload each cert.

2) When uploading the SSL123 cert, you need to specify the "Root Certificate". This is the confusing part. You actually specify the parent certificate here. You may find the name in the CUCM cert list page (file name column).

Hope this helps.

Michael

skravens0929 Tue, 10/13/2009 - 05:37

Michael,

I am using CCM 4.1.3 and management wants to get rid of the security page for the CCMUSER page. In other words they want the users to get right to the page without the warning. You seem pretty knowledgable on the subject. Any Ideas?

Thank you

matt22coll Wed, 06/09/2010 - 04:20

Hi Michael,

In this post you have stated that the "set web-security" and "alternatehostname" are only valid on newer vesions of CUCM.

Do you know when this feature was introduced?

Regards

Matthew

William Bell Wed, 06/09/2010 - 04:44

The command "set web-security" has been around since 5.0.  There was a defect with the removal of keys that was resolved in 6.1.1b.  The "alternatehostname" parameter was introduced in CUCM 7.0(1).

HTH.

Regards,
Bill

Actions

This Discussion