Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

VCS TLS Errors

Hey all, got some questions about TLS.  I have a two peer cluster of VCS-Cs and a two peer cluster of VCS-Es.

I am trying to enable TLS verify on the traversal zone, however I keep getting "Peer's TLS certificate identity was unacceptable" in the event logs.  What does this mean?  All four VCS'es have the same SAN cert loaded on them with all the proper names in the Subject Alternative field.

The second question I have is when you turn on "TLS verify subject name" on the VCS-E you must enter an FQDN here, what would I put in here since I have two VCS-Cs that will be talking to this cluster?

 

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
7 REPLIES

Question 1 - Have you

Question 1 - Have you uploaded the relevant CA certs - assuming that that are no public certificates. Just because they have the same type of server cert installed, do they know how to authenticate that cert when it is presented from the other side?

Question 2 - not sure here as I have no access to our VCS-Es at the moment. Where is this option in the VCS menu? However, I would think that it is the FQDN of the specific peer.

Hey Justin,I might take back

Hey Justin,

I might take back what I said in Q2. I assume this is on the Zone setup when you enable TLS verify mode? I just VPN'ed in to check our VCS-Es and whilst we don't have TLS with mutual verify mode on, I suspect that because you have multiple Traversal Clients in a cluster that could connect to multiple Traversal Servers in a cluster, you would have to specify the cluster name and this name should appear on the certificates that are presented.

Have you checked out the Certificate admin guide for the VCS which I think might show you how Certificate should be installed and configured for the VCSs including a cluster.

 

Cheers

Chris

Yes, fully agree with Chris.

Yes, fully agree with Chris.

 

First thing might be to check with

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

 

Then check that the CA is present and that the names are correct.

Also check that not the ip but the specific hostnames are used as the peer address.

Please remember to rate helpful responses and identify

Martin, This I did not think

Martin,

 

This I did not think about, we are currently using IPs in the peer addresses, I will change then to hostnames tonight and see what that does.

 

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

Hi Justin,As an aside, I am

Hi Justin,

As an aside, I am currently undergoing some Microsoft training WRT to Lync and we were reviewing the use of wildcard or SAN certificates - for you, the news might not be good. It would seem to NOT be a recommended process when applying certificates to use a wildcard or SAN certificate as you cannot uniquely identify the specific device when you create TLS channels for encrypted communication between those devices. This is NOT a expert area of mine (in fact I'm not entirely sure what is, but I digress) however, I would suspect that this to be a similar thing for the VCSs. The way I understand it is that mutual TLS channels are device specific as as such a generic domain certs would not be suitable, however, I'm not entirely sure if this is 100% correct.

Still, you would only need to issue internal cert of the VCS-C and (if required) public certs for the VCS-Es.

I was just reviewing the

I was just reviewing the certificate creation & use guide and it mentioned that each VCS needs to generate a CSR for its cert, so I would need to have at least 4 different certs???  That is crazy, what is the point of having the SAN then?

 

Right now we have a SAN cert with 100 hosts on it that we use for all our equipment, I don't want to have to maintain tons of certs....

 

I will do some more testing.

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

1) Yes I did, these are

1) Yes I did, these are public certs.  I ran the client validation test tool within the VCS on the cert and it passes.

 

2) I tried the cluster FQDN, still did not work.

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
1047
Views
0
Helpful
7
Replies
CreatePlease to create content