Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3530
Views
9
Helpful
10
Replies

Work around for CUCM SSL cert warning message

mmertens
Level 1
Level 1

‎04-04-2009 06:10 AM - edited ‎03-15-2019 05:18 PM

I've got a customer site running 6.1(1), do not want to upgrade at this point to 6.1(2) to change hostname; and their DNS naming convention for CUCM is different than the host name. Therefore, when a ccmuser hits the main login page, they get the classic cert warning message that host name (IP address) does not match name in cert:

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.

Continue to this website (not recommended).

More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.

When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.

Can anyone offer a work-around given my parameters (that I don't want to upgrade to change hostname), such as changing the name in the certificate only and re-creating a new cert?

Any suggestions are appreciated.

THANKS!

Labels:
0 Helpful
10 Replies 10

htluo
Level 9
Level 9

‎04-04-2009 11:02 AM

That's the way how SSL works. The address in the web browser has to match the common name in the certificate.

To work around that, you may generate a certificate with alternative name with "set web-security" command along with "alternatehostname" argument.

Unfortunately, this option is only available on newer version of CUCM.

In short, you have to upgrade anyway. Or you can just ignore the security warning on the web browser.

Thanks!

Michael

http://htluo.blogspot.com

mmertens
Level 1
Level 1
In response to htluo

‎04-05-2009 04:06 AM

Thanks Michael- never heard of the "set web-security command"/alternatehostname, but that is type of command I was looking for.

With our cut-over two weeks away, I'll defer the upgrade. Thanks for the reply and great info.

Mike.

0 Helpful

itdept
Level 1
Level 1
In response to mmertens

‎09-21-2009 11:36 AM

When doing a set web-security for the alternatehostname option, you will be able to generate a CSR with a second DNS entry for your alternate name. The problem then becomes finding a vendor which supports giving out SAN Certificates. I think Verisign will but they are expensive. Thawte doesn't give out SAN certificates. Did you ever get this resolved?

0 Helpful

router.mou
Level 1
Level 1
In response to itdept

‎09-30-2009 06:11 PM

we changed the hostname of the cucm

0 Helpful

router.mou
Level 1
Level 1
In response to htluo

‎05-28-2009 01:45 AM

Hi Michael:

We have the similar issue. the only difference are when we tried to get the cucm cert validate by 3rd party, it do not work.

Can you please provide a detailed steps to do the 3rd party validation for the tomcat ssl cert?

We have done the procedure below:

1. change the host name & domain name

2. generate CSR

3. apply a SSL123 standard cert with a CA

4. upload the CA's root cert & the SSL123 cert.

5. reboot the server

however, we still see the alerting message, "cert not validate by trusted CA" etc...

Thanks

Mou Wei

0 Helpful

htluo
Level 9
Level 9
In response to router.mou

‎05-28-2009 04:57 AM

1) You need to upload CA certs to CUCM as "Tomcat-trust". If there are more than one CA in the cert chain (such as parent, grandparent, etc.), you need to upload each cert.

2) When uploading the SSL123 cert, you need to specify the "Root Certificate". This is the confusing part. You actually specify the parent certificate here. You may find the name in the CUCM cert list page (file name column).

Hope this helps.

Michael

router.mou
Level 1
Level 1
In response to htluo

‎06-02-2009 05:47 PM

Hi Michael:

Got it done. Thanks!

Mou Wei

0 Helpful

skravens0929
Level 1
Level 1
In response to htluo

‎10-13-2009 05:37 AM

Michael,

I am using CCM 4.1.3 and management wants to get rid of the security page for the CCMUSER page. In other words they want the users to get right to the page without the warning. You seem pretty knowledgable on the subject. Any Ideas?

Thank you

0 Helpful

matt22coll
Level 1
Level 1
In response to htluo

‎06-09-2010 04:20 AM

Hi Michael,

In this post you have stated that the "set web-security" and "alternatehostname" are only valid on newer vesions of CUCM.

Do you know when this feature was introduced?

Regards

Matthew

0 Helpful

William Bell
VIP Alumni
VIP Alumni
In response to matt22coll

‎06-09-2010 04:44 AM

The command "set web-security" has been around since 5.0.  There was a defect with the removal of keys that was resolved in 6.1.1b.  The "alternatehostname" parameter was introduced in CUCM 7.0(1).

HTH.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents