Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Work around for CUCM SSL cert warning message

I've got a customer site running 6.1(1), do not want to upgrade at this point to 6.1(2) to change hostname; and their DNS naming convention for CUCM is different than the host name. Therefore, when a ccmuser hits the main login page, they get the classic cert warning message that host name (IP address) does not match name in cert:

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.

Continue to this website (not recommended).

More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.

When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.

Can anyone offer a work-around given my parameters (that I don't want to upgrade to change hostname), such as changing the name in the certificate only and re-creating a new cert?

Any suggestions are appreciated.

THANKS!

  • IP Telephony
10 REPLIES
Red

Re: Work around for CUCM SSL cert warning message

That's the way how SSL works. The address in the web browser has to match the common name in the certificate.

To work around that, you may generate a certificate with alternative name with "set web-security" command along with "alternatehostname" argument.

Unfortunately, this option is only available on newer version of CUCM.

In short, you have to upgrade anyway. Or you can just ignore the security warning on the web browser.

Thanks!

Michael

http://htluo.blogspot.com

New Member

Re: Work around for CUCM SSL cert warning message

Thanks Michael- never heard of the "set web-security command"/alternatehostname, but that is type of command I was looking for.

With our cut-over two weeks away, I'll defer the upgrade. Thanks for the reply and great info.

Mike.

New Member

Re: Work around for CUCM SSL cert warning message

When doing a set web-security for the alternatehostname option, you will be able to generate a CSR with a second DNS entry for your alternate name. The problem then becomes finding a vendor which supports giving out SAN Certificates. I think Verisign will but they are expensive. Thawte doesn't give out SAN certificates. Did you ever get this resolved?

New Member

Re: Work around for CUCM SSL cert warning message

we changed the hostname of the cucm

New Member

Re: Work around for CUCM SSL cert warning message

Hi Michael:

We have the similar issue. the only difference are when we tried to get the cucm cert validate by 3rd party, it do not work.

Can you please provide a detailed steps to do the 3rd party validation for the tomcat ssl cert?

We have done the procedure below:

1. change the host name & domain name

2. generate CSR

3. apply a SSL123 standard cert with a CA

4. upload the CA's root cert & the SSL123 cert.

5. reboot the server

however, we still see the alerting message, "cert not validate by trusted CA" etc...

Thanks

Mou Wei

Red

Re: Work around for CUCM SSL cert warning message

1) You need to upload CA certs to CUCM as "Tomcat-trust". If there are more than one CA in the cert chain (such as parent, grandparent, etc.), you need to upload each cert.

2) When uploading the SSL123 cert, you need to specify the "Root Certificate". This is the confusing part. You actually specify the parent certificate here. You may find the name in the CUCM cert list page (file name column).

Hope this helps.

Michael

New Member

Re: Work around for CUCM SSL cert warning message

Hi Michael:

Got it done. Thanks!

Mou Wei

New Member

Re: Work around for CUCM SSL cert warning message

Michael,

I am using CCM 4.1.3 and management wants to get rid of the security page for the CCMUSER page. In other words they want the users to get right to the page without the warning. You seem pretty knowledgable on the subject. Any Ideas?

Thank you

New Member

Re: Work around for CUCM SSL cert warning message

Hi Michael,

In this post you have stated that the "set web-security" and "alternatehostname" are only valid on newer vesions of CUCM.

Do you know when this feature was introduced?

Regards

Matthew

1471
Views
9
Helpful
10
Replies
This widget could not be displayed.