Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Jabber 9.2.5 and above forced Certificates

Hello all,

As some of you may already know as of Jabber version 9.2.5 the client force’s Certificates. If there is not a Certificate that is signed by a trusted CA, then the self-signed Cert is used.

There is no way that I have found to get around this unfortunately and the end result is the first time Jabber client is launched on a PC the person must accept in my case 7 certificate warnings (2xUCM,2xCUC,2xIMP,1xCWMS) that the host it’s connecting to is using self-signed Certs.

You have 3 options to avoid this

  • Stay on version 9.2.4 for the rest of your life, or until Cisco makes this an option we can opt out of
  • Deploy the 7 self-signed certs out to all the PC’s (not sure why this is even a real option!!!!)
  • Lastly you can generate CSR requests from CUCM, CUC, IMP and CWMS servers to be signed by a trusted CA

I will set the record straight first. I know very little about Cert's except the fact I dont' like working with them.

Now for my questions: I have 3

There are dozens of Cert providers out there, how do I find a LIST of CA’s that the application servers above already trust so I can avoid deploying ROOT CA’s as well to my Applications servers and PC's?

 

I'm following the guild below, in it there is a section called "What methods are available for certificate validation?

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

In this section it describes 

Here is a possible requirement you might encounter:

One Certificate Per FQDN: Some public CAs sign only one certificate per fully qualified domain name (FQDN).

For example, in order to sign the HTTP and XMPP certificates for a single CUCM IM and Presence node, you might need to submit each CSR to different public CAs.

I really don't understand this? Surely they dont' mean get the cert for HTTP from one CA and the XMPP from another CA??

Lastly:

Is there a roadmap to make this Feature and or Annoyance user customizable? I'm happy to stay on 9.2.4 if there is a less costly / annoying version in the works for the near future.

Appreciate your help and feedback

 

Ryan

Everyone's tags (1)
2 REPLIES
New Member

Hi,

Hi, We use the Last jabber 9.6 Build. To avoid the cert question we use dring the Installation the following switches, the cert Switch is here the Import Switch.. msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 AUTHENTICATOR=CUP CUP_ADDRESS=vCUPPUB1.example.com SERVICES_DOMAIN=example.com CERTIFICATE_VALIDATION=DISABLE -joerg
New Member

Awesome I'll give this a try.

Awesome I'll give this a try.

 

So is this only an install swtich commmand or can the same be accomplished using jabber-config.xml

 

Ryan

147
Views
0
Helpful
2
Replies
CreatePlease to create content