Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Jabber 11.6 shows Invalid Certificate, 10.5 works fine

Hi,

I have installed Digicert Certificates (Public CA) on my expressway E (version X8.7.1) (CUCM ver: 9.1.2.14900-14) (IM&P - ver:9.1.1.81900-10)

The certificates are singed by Intermittent CA.

Windows and other IOS both have the Intermittent CA certificate and root certificate in the Trust container.

I have uploaded both the Root CA/Intermittent CA certificates on the Expressway E

The certificates show the Path to the Root CA. Windows show the certificate as OK

The CN name is the FQDN of the expressway E

The SAN name is the FQDN of the expressway E

FIPS is disabled on the windows server

 

I am getting Certificate error from Windows Jabber 11.6 , Iphone and Android.

I donot get the error if the Windows Jabber client is 10.5

Note - The Certificate SAN only contain the Expressway E FQDN. There is no Clustering.

Do I need to include just the Domain Name in the SAN. If so How does it work with older Jabber version.

Thanks

Sandesh

Everyone's tags (1)
3 REPLIES
Cisco Employee

I do not see any major

I do not see any major difference in certificate validation between the version. Could you tell me the complete error message that you see?

Is this behaviour similar to the below post?

https://supportforums.cisco.com/discussion/13124266/invalid-certificate-was-declined-jabber-android

Could you generate a Problem report in detailed logging mode, and attach here?

New Member

Solved

Solved

Apparently for RMA, Jabber 11.5 seeks three entires. Server FQDN, Domain & Collab-edge.<Domain>

E.g. domainname = domain.com & Expressway E name = expresE.domain.com

After i upload multi SAN certificate with SAN as "dns=domain.com" & "dns=collab-edge.domain.com" the problem was solved.

Note- just adding domain name to the SAN is also enough.

 

Logs showed following-

cert::CertVerifier::checkIdentifier] - Verifying identity 'expresE.domain.com'

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(352)] [csf.cert.utils] [csf::cert::altnameparserimpl::verify] - match for 'expresE.domain.com' found in dnsnames

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(324)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded.

Matched identifier : 'expresE.domain.com'

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(461)] [csf.cert.] [csf::cert::BaseCertVerifier::applyIgnoreInvalidCertConditionPolicy] - Certificate verification was successful, not applying policy.

[csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'domain'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'Domainname'

2016-09-21 11:00:44,777 DEBUG [0x000009f8] [ls\src\cert\common\CertVerifier.cpp(154)] [csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'collab-edge.domain.comname'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'collab-edge.domain.com'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(319)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity: 'domain' 'collab-edge.domain.com' failed.

 

Cisco Employee

Awesome :)

Awesome :)

205
Views
0
Helpful
3
Replies
CreatePlease to create content