at my CUCM I want to install a signed certificate. Installing the root ceretificate is no problem. If I install the server certificate I always receive thr error: CSR SAN and Certificate SAN does not match. I can check the certificate for the Subject alternative names but you can I check the csr?
Does the CSR have an internal domain on it? I have seen instances where the 3rd party CA removes SAN for domains that are not public.
Just so someone else has this information, we were on 10.5.1 and there's a bug that even though you update your web-security and add the www. (set web-security ?), the CSR created in the GUI will not show that information. We had to build them in the CLI for them to show properly.
(pro-tip for Go-Daddy certs, when you do web-security, you only need the www. entry, as it automatically does your Server Name. Only areas with spaces like a city name require quotes)
set web-security PCI Company "City Name" State Country www.CMSUB1.Company.com
admin:set csr gen tomcat
Successfully Generated CSR for tomcat
admin:set csr gen CallManager
Successfully Generated CSR for CallManager
We had this same issue. Turns out Go Daddy was generating our certificate with a SAN (www.server.domain.com) that wasn't in the csr. The csr was just generated with server.domain.com. So this was causing the mismatch. Go Daddy didn't want to help changing the certificate so we just regenrated the csr on the server using www.server.domain.com as the SAN option. Note: We are running version 10.5. I hope this helps.
do you know if go daddy generates the SAN with a www.server.domain.com entry for each server in the SAN record or for just the common name?
I know this is a bit of an old post, but I'm running into this exact issue, and was curious how exactly you went about renerating the CSR with the www.server.domain.com as the SAN option? In the Generate CSR page, it doesn't give many options so I'm not quite clear on how you did this. Thanks
Please note that the above workaround for www-prefixed names in SANs is no longer required for CUCM versions 10.5(2) and above. Hope this helps.
Also, check if the version of your CallManager is 10.5(1.10000.7), as you may hit the bug CSCur46416 (Multiserver Certificate CSR Should Not Check Case Sensitivity in SAN). If that's the case, there is a workaround to change your hostnames to lower case or request an ES from TAC that fixes this bug.
I've just run into this issue and for me it was because they issued a user certificate and not a server certificate.
To see the additional options on the Microsoft CA web interface you either need to run your browser as administrator or log on to the CA server and do it from there.
That seems to be another issue. The discussion is about third-party certificates (issued by GoDaddy, Comodo, VeriSign, etc.). The bug that I mentioned in my previous post is fixed in version 10.5(2) and later (no need to request ES from TAC).