×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco WebEx on-premesis SSL certificates best practices

Unanswered Question
Oct 13th, 2014
User Badges:

Hi Everyone,

Was just curious and looking for if anyone has had experience with installing SSL certificates on Cisco WebEx on-premises and might be able to share some lessons-learned? It would interesting to know if a SAN cert was used or a wildcard certificate and also how mobile users (Andriod, iPhone, etc...) were affected if at all and "gotchas" if any with the cert installation. Any suggestions is appreciated!

Regards,

mbroberson1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (11 ratings)
Loading.
dpetrovi Tue, 10/14/2014 - 13:50
User Badges:
  • Cisco Employee,

Hi, 

 

Your question is quite broad but I'll try to provide you with some guidance:

1. Wildcard SSL certs - all CWMS VMs hostnames, WebEx Site URL and Admin Site URL must all belong to the same domain. The same wildcard cert that is installed on Admin VM is pushed to all the VMs in a solution, so you can't have WebEx Site URL with for example domain.com, and have internal VMs with domain.local domain. 

2. SAN SSL certs can be used in situation where you have different domains being used for internal VMs versus WebEx Site URL, as the cert itself includes Subject Alternative Names (SAN) which are all the FQDNs of internal VMs, Admin Site URL, WebEx Site URL (the only FQDN not being included is of IRP VM)

3. Self-signed SSL certs are generated by CWMS itself, however, in order for end devices to trust this SSL certs, each device connecting to the system will have to import and install SSL cert and add it to the trusted zone. We've seen this really impacting external participants and mobile users (as usually, selfsigned SSL certs can be distributed to all the devices in the internal network, so this complication is avoided)

If using Wildcard or SAN from a Public CA, in most cases you will also get Intermediate SSL certs. Keep in mind that if that is the case, the SSL cert file that you are uploading to CWMS must be an SSL bundle that includes SAN cert as well as Intermediate certs.

Here are some examples of how the bundled file should look like:

A. Wildcard SSL cert from CA that has Intermediate SSL certs (in this example CSR for this SSL cert was generated on CWMS)

-----BEGIN CERTIFICATE-----

.

content of wildcard SSL cert

.

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

.

content of Intermediate SSL cert

.

-----END CERTIFICATE-----

 

B. Wildcard SSL cert from CA that has Intermediate SSL certs (in this example CSR for this SSL cert was generated somewhere else and you don't have the Private Key stored on CWMS already)

-----BEGIN PRIVATE KEY-----

.

content of the private key

.

-----END PRIVATE KEY-----

----BEGIN CERTIFICATE-----

.

content of wildcard SSL cert

.

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

.

content of Intermediate SSL cert

.

-----END CERTIFICATE-----

 

C. SAN SSL cert from CA that has Intermediate SSL certs 

 

-----BEGIN CERTIFICATE-----

.

content of SAN SSL cert

.

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

.

content of Intermediate SSL cert

.

-----END CERTIFICATE-----

 

Finally, here you can find the official documentation about the SSL certs: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_0/Administration_Guide/Administration_Guide_chapter_01111.html#concept_71CACA22EBB84FE58867C71B177AD752

 

I hope this will be of help.

-Dejan

kdotten36 Wed, 10/22/2014 - 12:55
User Badges:

I'm unfamiliar with certificates myself and am approaching this for the first time.

So if my domain is kevin.com, my Site URL is meeting.kevin.com, and my Admin URL is wbxadmin.kevin.com, does that mean I need to purchase a separate single certificate (or Multiple UCC) to coverr both the Site URL and the Admin server since they're in the same domain but neither is a subdomain of the other? 

Or would it more efficient to rename the admin server admin.meeting.kevin.com and use a wildcard of meeting.kevin.com to cover both?

An cert covering the entire domain of *.kevin.com is a security concern so I can't do it.

dpetrovi Wed, 10/22/2014 - 13:02
User Badges:
  • Cisco Employee,

Hi Kevin,

If you cannot use wildcard SSL cert, you will have to use Subject Alternative Name (SAN) SSL cert. Keep in mind that CWMS solution needs an SSL cert not just for Admin URL and Site URL, but for all internal VM FQDNs as well. If you generate CSR on your CWMS solution, you will see that CSR will include all internal FQDNs (Admin VM, Media VM, Web VM, WebEx Site URL, and Admin Site URL). 

 

Additionally, keep in mind that many Certification Authorities already stopped issuing SSL certs for internal domains like .local or .internal, etc., so if you are just deploying the system, I would advise you use a valid domain for internal VMs as well (e.g. kevin.com).

 

I hope this helps.

-Dejan

kdotten36 Wed, 10/22/2014 - 13:28
User Badges:

Thanks, I am using a valid ".com" domain for all servers.

I guess where I'm confused is on the page where I generate the CSR it says Certificate name: meet.site.com.  But I know that my admin server is wbx-admin.site.com.  So if I get a certificate for meet.site.com, that won't work for the admin server right?

 

kdotten36 Wed, 10/22/2014 - 13:32
User Badges:

OK, so when I actually generated the CSR, my other FQDNs are listed as "Subject Alternative Names" 

Does that mean everything there will automatically be included even though they fall under the top level domain, and not the certificate's sub-domain?

dpetrovi Wed, 10/22/2014 - 13:36
User Badges:
  • Cisco Employee,

SAN SSL certificates are issued for multiple FQDNs, you have to make sure when you order them with Certification Authority that you specify that you need a SAN SSL cert to ensure they read all FQDNs included in the CSR and not just your WebEx Site URL.

You should receive an SSL cert that will include all those FQDNs (they can all be different for that matter and have different domains).

 

I hope this clarifies it.

-Dejan

kdotten36 Thu, 10/23/2014 - 10:49
User Badges:

Thanks for the help, I purchased the certificate and uploaded it.  Unfortunately after all that trouble, iOS users still cannot connect to our meetings without manually installing an emailed copy of the certificate (which is a silly "workaround" to suggest when the majority of our attendees are external users not affiliated with our company.)  Guess it's time to bug TAC!

dpetrovi Thu, 10/23/2014 - 10:53
User Badges:
  • Cisco Employee,

The issue is that you haven't incorporated Intermediate SSL certs into the SSL cert that you've uploaded to CWMS.

Who is your CA?

If you got intermediate SSL cert, in any text editor, edit the SSL cert that you received for CWMS, and copy the content of the Intermediate SSL cert right under it. Then upload this bundled SSL cert to CWMS.

 

-Dejan

dpetrovi Thu, 10/23/2014 - 10:57
User Badges:
  • Cisco Employee,

The SSl cert bundle should look like this:

 

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

 

If you have Primary and Secondary intermediate, then do it like this:

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Secondary Intermediate certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Primary Intermediate certificate …

-----END CERTIFICATE-----

 

 

If it reports "Invalid certificate chain" during upload, try swapping the order of Primary and Secondary Intermediate certs. Don't put the 'root' certificate in the bundle. It is not needed.

 

I hope this helps.

 

-Dejan

kdotten36 Thu, 10/23/2014 - 11:16
User Badges:

GoDaddy is the provider.

I got two certificates but no description about intermediate or primary.

One is called 24f9d8fasdfjkid.crt (not exact, but something like that) and the other is called gd_bundle-g2-g1.crt

The latter said public/private key does not match when uploaded, the first one was accepted.

I tried copying and pasting the sections in various orders and keep getting "invalid string".

kdotten36 Thu, 10/23/2014 - 11:46
User Badges:

Found the right combo.  Copied the text from f2334j3kp3434.crt and pasted it at the beginning of the gd_bundle.crt.  WebEx took it and now my iThings can connect.

Thanks for all the hand holding through this!

dpetrovi Thu, 10/23/2014 - 11:51
User Badges:
  • Cisco Employee,

Perfect. I am glad to hear you were able to figure it out and that it is working now.

 

-Dejan

George Thomas Wed, 12/03/2014 - 12:13
User Badges:
  • Blue, 1500 points or more

Just a FYI - for anyone who is working on this. In CWMS 2.5, the certificate should be in the format Intermediate cert followed by the Identity cert.

dpetrovi Wed, 12/03/2014 - 13:05
User Badges:
  • Cisco Employee,

Thank you for the update. Yes, in CWMS 2.5 the order of SSL Cert Bundle is changed. 

 

1. You receive SERVER SSL cert file for all your CWMS components. This SSL cert file contains just one SSL cert that includes all Subject Alternative Names. In CWMS 1.x and 2.0, this cert file is placed at the top of the SSL cert bundle. However, in CWMS 2.5, this SSL cert is placed at the bottom of the SSL cert bundle.
2. You may also receive INTERMEDIATE SSL CERT bundle from CA. This bundle usually includes three SSL certificates:
TOP – Secondary Intermediate SSL cert
MIDDLE – Primary Intermediate SSL cert
BOTTOM – Root SSL cert
 
For a certificate chain to work, certs must be order sequentially like a daisy chain.
 
In CWMS 1.x and 2.0, the chain should’ve looked like this:
SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT
 
Hence, to create SSL cert bundle on CWMS 1.x and 2.0 version levels, you would open SERVER SSL CERT in notepad, save the file as SSL cert bundle, open the INTERMEDIATE SSL CERT bundle in notepad, copy the top two SSL certs (secondary intermediate and primary intermediate) and copy these below SERVER SSL CERT as they are already in the correct order. This action will create this required chain:
SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT
 
In CWMS 2.5, the chain is different and should look like this:
PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT
 
Hence, to create SSL cert bundle on CWMS 2.5 version level, you would open a new blank file in notepad, open INTERMEDIATE SSL CERT bundle in notepad, copy the Primary Intermediate (MIDDLE CERT in the INTERMEDIATE SSL CERT bundle file) to the top of the blank notepad file, then copy the Secondary Intermediate (TOP CERT in the INTERMEDIATE SSL CERT bundle file) below Primary Intermediate in the blank notepad file, and then open SERVER SSL CERT in notepad and copy its content to the very bottom of blank notepad file. At this time, save this blank notepad file (not blank any more  ) as CWMS SSL cert bundle and upload it to the system.
 
 
In case the CSR file was created outside of CWMS solution, and you also have externally created PRIVATE KEY that you will also need to import to CWMS, PRIVATE KEY will ALWAYS (regardless of the version) be placed at the VERY TOP (above all certs) in CWMS SSL cert bundle. 

 

 

-Dejan

George Thomas Wed, 12/03/2014 - 13:15
User Badges:
  • Blue, 1500 points or more

Thanks Dejan, if you could convert this into a document and post it on the forum that would be awesome!

Actions

This Discussion