Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CUCM issue with secure Jabber and Expressway



we have an UC infrastructure with a CUCM, a CUP, and an Expressway-C/E X8.1.1


Furthermore, we have configured several Jabber phones (for Windows, Android, and iPhone)


Let's consider Jabber for Windows, now.


The Jabber phones work correctly with non-secure profiles, both in LAN and by Expressway


But, when we use secure profiles, the Jabber phones only work in LAN, while by Expressway we get an error that, In English, should be the following (as seen by the connection status tool of Jabber for Windows):


"Connection error. Verify that the server information on the Services tab of the Options window and phone are correct. Contact your system administrator for assistance."


What's wrong?


Thanks in advance for your help.


Best regards.

Everyone's tags (1)
Cisco Employee

Could you confirm if the name

Could you confirm if the name of Security Profile is added in the Subject Alternate Name field in the certificate of VCS server.



The information can be found in the page 18 of below document.

New Member

Hello, it's a bug: https:/



it's a bug:


I've temporarily solved with the workaroud indicated in the link above.



New Member

Hi,I've got a similar case. 

-- deleted --

New Member

Hello,I have same issues as


I have same issues as yours, with secure profiles on jabber clients. To be worse, in the time connecting jabber client to phone services Cisco CallManager service on primary CUCM is restarted. We have UC infrastructure with CUCMs (, CUCM IM&P ( and Expressway-C/E (X8.5).

All servers used FQDN instead of IP address, certificates (tomcat, Call Manager, XMPP) issuing by internal CAs, etc. Security profile on particular telephone have name, which we use during making certificate request on Expressway as Nirmal suggested.

Please, could you send your workaround, because this bug is not yet publicly available.




New Member

FYI, the bug with ID

FYI, the bug with ID CSCun30200 is about the following:

Openssl does not support 2 self-signed certificates with the same Common Name and, unfortunately, this is the CM's default configuration.


It is not possible to configure a UCM for MRA when the UCM uses self signed certs for both the tomcat and CallManager certificates.

Either TLS verify or secure SIP will fail depending upon the order in which the certificates are added. If the tomcat.pem certificate is first in the trusted CA file then TLS verify will work and SIPS will not.

Unfortunately, Cisco doesn't recognize it as a bug, and seems that no improvement has been made so far.

My workaround is to sign the CUCM's tomcat Cert by CA, and keep callmanager Cert self-signed. 

Or, you may sign all CUCM's Cert by CA.  It makes the Expressway C not required to verify two CUCM's Cert with same CN.

On the other hand, I don't have problem of "CallManager service restarted" during my Lab setup before I found my workaround.


CreatePlease to create content