04-04-2009 06:10 AM - edited 03-15-2019 05:18 PM
I've got a customer site running 6.1(1), do not want to upgrade at this point to 6.1(2) to change hostname; and their DNS naming convention for CUCM is different than the host name. Therefore, when a ccmuser hits the main login page, they get the classic cert warning message that host name (IP address) does not match name in cert:
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.
For more information, see "Certificate Errors" in Internet Explorer Help.
Can anyone offer a work-around given my parameters (that I don't want to upgrade to change hostname), such as changing the name in the certificate only and re-creating a new cert?
Any suggestions are appreciated.
THANKS!
04-04-2009 11:02 AM
That's the way how SSL works. The address in the web browser has to match the common name in the certificate.
To work around that, you may generate a certificate with alternative name with "set web-security" command along with "alternatehostname" argument.
Unfortunately, this option is only available on newer version of CUCM.
In short, you have to upgrade anyway. Or you can just ignore the security warning on the web browser.
Thanks!
Michael
04-05-2009 04:06 AM
Thanks Michael- never heard of the "set web-security command"/alternatehostname, but that is type of command I was looking for.
With our cut-over two weeks away, I'll defer the upgrade. Thanks for the reply and great info.
Mike.
09-21-2009 11:36 AM
When doing a set web-security for the alternatehostname option, you will be able to generate a CSR with a second DNS entry for your alternate name. The problem then becomes finding a vendor which supports giving out SAN Certificates. I think Verisign will but they are expensive. Thawte doesn't give out SAN certificates. Did you ever get this resolved?
09-30-2009 06:11 PM
we changed the hostname of the cucm
05-28-2009 01:45 AM
Hi Michael:
We have the similar issue. the only difference are when we tried to get the cucm cert validate by 3rd party, it do not work.
Can you please provide a detailed steps to do the 3rd party validation for the tomcat ssl cert?
We have done the procedure below:
1. change the host name & domain name
2. generate CSR
3. apply a SSL123 standard cert with a CA
4. upload the CA's root cert & the SSL123 cert.
5. reboot the server
however, we still see the alerting message, "cert not validate by trusted CA" etc...
Thanks
Mou Wei
05-28-2009 04:57 AM
1) You need to upload CA certs to CUCM as "Tomcat-trust". If there are more than one CA in the cert chain (such as parent, grandparent, etc.), you need to upload each cert.
2) When uploading the SSL123 cert, you need to specify the "Root Certificate". This is the confusing part. You actually specify the parent certificate here. You may find the name in the CUCM cert list page (file name column).
Hope this helps.
Michael
06-02-2009 05:47 PM
Hi Michael:
Got it done. Thanks!
Mou Wei
10-13-2009 05:37 AM
Michael,
I am using CCM 4.1.3 and management wants to get rid of the security page for the CCMUSER page. In other words they want the users to get right to the page without the warning. You seem pretty knowledgable on the subject. Any Ideas?
Thank you
06-09-2010 04:20 AM
Hi Michael,
In this post you have stated that the "set web-security" and "alternatehostname" are only valid on newer vesions of CUCM.
Do you know when this feature was introduced?
Regards
Matthew
06-09-2010 04:44 AM
The command "set web-security" has been around since 5.0. There was a defect with the removal of keys that was resolved in 6.1.1b. The "alternatehostname" parameter was introduced in CUCM 7.0(1).
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: