Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3197
Views
12
Helpful
10
Replies

CUCM 10.5 Security Certificates For Jabber

Brandon Rebbe
Level 1
Level 1

‎10-15-2014 08:30 PM - edited ‎03-19-2019 08:44 AM

I have deployed Jabber 10.5 on our devices (PC, IPhone, IPAD, Android) They all work inside the office and I have them working outside the office with our express core and edge. 

The jabber client keeps coming up and asking to confirm certificates.  I know this is because I need authentic third party certs.

 

So I went to Go daddy and got all my SSL certs. 

CUCM.xxx.net

CUPS.xxx.net

VCSc.xxx.net

vcse.xxx.net

 

Here is the issue.

I uploaded all these certs to the devices.  Express Core and edge are all good. 

I uploaded the certs to CUCM and CUPS to the tomcat-trust along with the intermediate

They show up in the list but are not used for some reason.  When I setup a jabber client or go to the web GUI it still shows the self signed cert. 

I have restarted the services etc... 

I also notice that the tomcat-trust has four differ net certificates.  How does it know which one to use?

What am I doing wrong or missing here?

 

Labels:
0 Helpful
10 Replies 10

Jaime Valencia
Cisco Employee
Cisco Employee

‎10-15-2014 08:56 PM

Have you actually uploaded the tomcat cert???

You only mention the tomcat-trust, that one is no the actual certificate that will be used.

HTH

java

if this helps, please rate
0 Helpful

Brandon Rebbe
Level 1
Level 1
In response to Jaime Valencia

‎10-15-2014 09:06 PM

Yes.

When I do it always gives me this error (see Capture).  I have generated the CSR and used that request to get the certificate.

Under certificate manager I have two listings

Tomcat    cucm.xxx.net   CSR only

Tomcat cucm.xxx.net   Self signed

 

 

Preview file
18 KB
0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Brandon Rebbe

‎10-16-2014 07:36 AM

Then there's your problem, that's the cert that you need to upload after you've uploaded the godaddy cert, or cert chain to tomcat trust so that you can upload the CSR they signed and it's not rejected.

HTH

java

if this helps, please rate
0 Helpful

Brandon Rebbe
Level 1
Level 1
In response to Jaime Valencia

‎10-20-2014 01:39 PM

At this point I am opening a TAC case.  I spoke with Godaddy and they said they cannot take out the SAN of WWW.cucm.xxx.net which I believe is where my problem is coming from. 

0 Helpful

Brandon Rebbe
Level 1
Level 1
In response to Brandon Rebbe

‎10-24-2014 03:35 PM

I finally got the answer to this riddle.  When you generate your CSR for the tomcat remove the parent domain info.  For instance: if you are cucm.xyz.com the distribution and common name would be cucm.xyz.com then by default it would enter xyz.com in the parent domain field.

 

If your CUCM is behind the firewall and your internal dns is xyz.local the CSR will never work. If you remove the parent domain info then generate your CSR it will work.

When you upload with Godaddy put the string, and intermediates into the tomcat trust first then put your cert into the tomcat.

 

 

George Thomas
Level 10
Level 10
In response to Brandon Rebbe

‎10-16-2014 10:18 AM

In addition to what Jaime mentioned, in your certificate SAN, do you have a domain that is not public? If yes, Godaddy removes that domain when it signs the CSR and if that domain is not present in the signed certificate, Cisco UC apps rejects that signed cert. 

Please rate useful posts.
0 Helpful

Brandon Rebbe
Level 1
Level 1
In response to George Thomas

‎10-17-2014 10:13 AM

No.  The only things in the SAN are www.cucm.xxx.net and cucm.xxx.net

At this point I am thinking I should delete out all their certificates I have uploaded. Regenerate the CSR. Get new certificate from go daddy. and start all over.  Maybe I loaded them in the wrong order to the wrong areas? 

I cannot find a step by step doc that says exactly how to do this. 

 

I am afraid if I remove them though I will kill phone communications or something because of certificate issues.

 

 

0 Helpful

George Thomas
Level 10
Level 10
In response to Brandon Rebbe

‎10-17-2014 10:27 AM

I take it that xxx.net is registered with go-daddy? If yes, then i would start fresh. Upload the root CA, then the intermediate to the tomcat-trust store and finally the signed cert to the tomcat hive. Do not delete your tomcat certificate but you can delete the Godaddy certificates under the tomcat-trust store. When you regenerate the CSR for tomcat, the tomcat cert will be regenerated as well after the signed cert is uploaded.. Good luck!

 

Please rate useful posts.
0 Helpful

Brandon Rebbe
Level 1
Level 1
In response to George Thomas

‎10-17-2014 11:39 AM

So... 

Couple things  Go Daddy typically does not send the correct intermediates and roots so you have to download them from their alternate site. 

I am still getting the CSR SAN and Certificate SAN do not match. 

The only difference I can see is that my certificate has www.cucm.xxx.net and cucm.xxx.net and the CSR only had cucm.xxx.net

I am stumped.

0 Helpful

George Thomas
Level 10
Level 10
In response to Brandon Rebbe

‎10-17-2014 11:41 AM

For intermediate and roots, i open up the signed certificate and export it that way. 

I have seen Go-daddy doing that with the SAN and a ticket with them usually resolves that issue.

Please rate useful posts.
Customers Also Viewed These Support Documents