Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CWMS hostnames are not treated as valid subject alternate names for a public certificate

Hi,
I have a problem to get s public certificate for my CWMS Server 2.0

fqdn for public vip is "meet.company.de"
But the fqdn hostnames for admin and media vm are "admin.company.corp"

The public certification authority does not accept our CSR because the Subject Alternate Name xxxx.company.corp ist not valid

Any ideas how we can proceed? Wildcard certificate is not an option.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello, There are couple of

Hello,

 

There are couple of things you can try to do:

1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)

2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.

3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).

 

This is all that you can do when it comes to this issue.

 

I hope any of this will help.

-Dejan

 

1 REPLY
Cisco Employee

Hello, There are couple of

Hello,

 

There are couple of things you can try to do:

1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)

2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.

3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).

 

This is all that you can do when it comes to this issue.

 

I hope any of this will help.

-Dejan

 

173
Views
5
Helpful
1
Replies
CreatePlease login to create content