Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CWMS 2.0 SSL Certificate Issue on IOS device

I have uploaded SSL Certificate to CWMS Server all device is worked fine but only IOS device is not work.

Error Code:100202

I think problem is certificate issue. I used SAN SSL *.domain.com

I obtain SSL Certificate and OrganizationSSL Root Certificate from GlobalSign SSL Certificate

I found in Trobleshooting Guide, they say "upload it to Cisco WebEx Meetings Server together with the end entity certificate".

How to "upload it to Cisco WebEx Meetings Server together with the end entity certificate"?

I follow step in https://supportforums.cisco.com/discussion/11794371/cwms-ssl-certificate-issue but not work

I  create .pem file and order content in same file

-----BEGIN PRIVATE KEY-----

… Private key …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… End entity certificate …

-----END CERTIFICATE-----

or

---

Private Key

---

---

CWMS Entity certificate

----

----

Intermediate Certificate #1

----

when upload file .pem occur error "The certificates do not form a valid certificate chain."

 

Please provide how to upload it to Cisco WebEx Meetings Server together with the end entity certificate?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hi, Per the information

Hi, 

Per the information provided, you have a Wildcard SSL certificate (*.domain.com) provided by GlobalSign, but when you upload it to CWMS with a file that contains the following:

Private Key

Wildcard cert

Root cert

you get an error "The certificates do not form a valid certificate chain." This is expected behavior since you shouldn't insert the Root cert, but instead you need to insert the Intermediate SSL cert from GlobalSign. Reach out to GlobalSign and obtain the appropriate Intermediate Cert: https://www.globalsign.com/repository/ca-certificates/ that match your Wildcard cert. Once you have that cert, then create a bundle:

Private Key

Wildcard cert

Intermediate cert 

and upload it to the CWMS server. This should resolve the issue you are seeing on the iOS devices.

 

I hope this will be of help.

 

-Dejan

Cisco Employee

If you generated a CSR on

If you generated a CSR on CWMS server, then private key is stored on CWMS and you don't need to upload it. In that case, you would just need a valid SSL cert for CWMS, and a corresponding Intermediate certs.

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

If you still get the same error, you are definitely not using the correct intermediate cert. Keep in mind that some CAs use primary and secondary intermediate certs, so you will have to include both. In that case, the order would be:

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Secondary Intermediate certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Primary Intermediate certificate …

-----END CERTIFICATE-----

-Dejan

9 REPLIES
Cisco Employee

Hi, Per the information

Hi, 

Per the information provided, you have a Wildcard SSL certificate (*.domain.com) provided by GlobalSign, but when you upload it to CWMS with a file that contains the following:

Private Key

Wildcard cert

Root cert

you get an error "The certificates do not form a valid certificate chain." This is expected behavior since you shouldn't insert the Root cert, but instead you need to insert the Intermediate SSL cert from GlobalSign. Reach out to GlobalSign and obtain the appropriate Intermediate Cert: https://www.globalsign.com/repository/ca-certificates/ that match your Wildcard cert. Once you have that cert, then create a bundle:

Private Key

Wildcard cert

Intermediate cert 

and upload it to the CWMS server. This should resolve the issue you are seeing on the iOS devices.

 

I hope this will be of help.

 

-Dejan

New Member

How to bundle these three

How to bundle these three file? put Private Key, Wildcard cert, Intermediate cert in to 1 file right?

 I create .pem file and order content in same file

---

Private Key

---

---

CWMS Entity certificate

----

----

Root Cert

----

when install certificate occur error message "The certificates do not form a valid certificate chain."

Cisco Employee

Hi,Don't use ROOT CERT. You

Hi,

Don't use ROOT CERT. You need to use INTERMEDIATE CERT instead of ROOT. To bundle them, you create a .pem file with:

-----BEGIN PRIVATE KEY-----

… Private key …

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

… End entity certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

 

I hope this explains it.

 

-Dejan

New Member

Hi Dejan,The private key is

Hi Dejan,

The private key is obtain when Gen CSR right?

I uploaded file in order but still show same error message "The certificates do not form a valid certificate chain."

Cisco Employee

If you generated a CSR on

If you generated a CSR on CWMS server, then private key is stored on CWMS and you don't need to upload it. In that case, you would just need a valid SSL cert for CWMS, and a corresponding Intermediate certs.

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

If you still get the same error, you are definitely not using the correct intermediate cert. Keep in mind that some CAs use primary and secondary intermediate certs, so you will have to include both. In that case, the order would be:

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Secondary Intermediate certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Primary Intermediate certificate …

-----END CERTIFICATE-----

-Dejan

New Member

Hi Dejan,Now it

Hi Dejan,

Now it work

GlobalSign sent me a wrong Intermediate Certificate. I download new Intermediate Certificate from GlobalSign (https://support.globalsign.com/customer/portal/articles/1219303-organizationssl-intermediate-certificates)

And create pem file in order

-----BEGIN CERTIFICATE-----

... End entity certificate ...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... Intermediate certificate ...

-----END CERTIFICATE-----

Thank you very much for your support. I get more idea from you

Cisco Employee

Hi, I am happy to hear that

Hi,

 

I am happy to hear that you were able to upload the appropriate chain. Is the issue with the iOS device now resolved (it should be)?

 

Thank you.

-Dejan

 

New Member

Hi Dejan,Yes, now resolved

Hi Dejan,

Yes, now resolved with iOS devices

New Member

Just wanted to give feedback

Just wanted to give feedback to this post as I came across this to fix my issue. I am running 2.5 of CWMS and they changed the format. It now looks like:

 

----Private Key---

 

Private key info

 

---end private key---

---Intermediate key----

Intermediate infor

---end intermediate key---

---Entity certificate---

certificate info

----end entity certificate----

 

I also used this site to help extract out the information I needed from the encrypted files I was given by the customer:

 

https://ril3y.wordpress.com/2014/01/22/ssl-with-intermediate-certificates-for-on-premise-webex/

 

-The Hoff

 

 

 

 

704
Views
25
Helpful
9
Replies