I've got a customer site running 6.1(1), do not want to upgrade at this point to 6.1(2) to change hostname; and their DNS naming convention for CUCM is different than the host name. Therefore, when a ccmuser hits the main login page, they get the classic cert warning message that host name (IP address) does not match name in cert:
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
If you choose to ignore this error and continue, do not enter private information into the website.
For more information, see "Certificate Errors" in Internet Explorer Help.
Can anyone offer a work-around given my parameters (that I don't want to upgrade to change hostname), such as changing the name in the certificate only and re-creating a new cert?
Any suggestions are appreciated.
That's the way how SSL works. The address in the web browser has to match the common name in the certificate.
To work around that, you may generate a certificate with alternative name with "set web-security" command along with "alternatehostname" argument.
Unfortunately, this option is only available on newer version of CUCM.
In short, you have to upgrade anyway. Or you can just ignore the security warning on the web browser.
Thanks Michael- never heard of the "set web-security command"/alternatehostname, but that is type of command I was looking for.
With our cut-over two weeks away, I'll defer the upgrade. Thanks for the reply and great info.
When doing a set web-security for the alternatehostname option, you will be able to generate a CSR with a second DNS entry for your alternate name. The problem then becomes finding a vendor which supports giving out SAN Certificates. I think Verisign will but they are expensive. Thawte doesn't give out SAN certificates. Did you ever get this resolved?
We have the similar issue. the only difference are when we tried to get the cucm cert validate by 3rd party, it do not work.
Can you please provide a detailed steps to do the 3rd party validation for the tomcat ssl cert?
We have done the procedure below:
1. change the host name & domain name
2. generate CSR
3. apply a SSL123 standard cert with a CA
4. upload the CA's root cert & the SSL123 cert.
5. reboot the server
however, we still see the alerting message, "cert not validate by trusted CA" etc...
1) You need to upload CA certs to CUCM as "Tomcat-trust". If there are more than one CA in the cert chain (such as parent, grandparent, etc.), you need to upload each cert.
2) When uploading the SSL123 cert, you need to specify the "Root Certificate". This is the confusing part. You actually specify the parent certificate here. You may find the name in the CUCM cert list page (file name column).
Hope this helps.
I am using CCM 4.1.3 and management wants to get rid of the security page for the CCMUSER page. In other words they want the users to get right to the page without the warning. You seem pretty knowledgable on the subject. Any Ideas?
In this post you have stated that the "set web-security" and "alternatehostname" are only valid on newer vesions of CUCM.
Do you know when this feature was introduced?