I have deployed Jabber 10.5 on our devices (PC, IPhone, IPAD, Android) They all work inside the office and I have them working outside the office with our express core and edge.
The jabber client keeps coming up and asking to confirm certificates. I know this is because I need authentic third party certs.
So I went to Go daddy and got all my SSL certs.
Here is the issue.
I uploaded all these certs to the devices. Express Core and edge are all good.
I uploaded the certs to CUCM and CUPS to the tomcat-trust along with the intermediate
They show up in the list but are not used for some reason. When I setup a jabber client or go to the web GUI it still shows the self signed cert.
I have restarted the services etc...
I also notice that the tomcat-trust has four differ net certificates. How does it know which one to use?
What am I doing wrong or missing here?
Have you actually uploaded the tomcat cert???
You only mention the tomcat-trust, that one is no the actual certificate that will be used.
Then there's your problem, that's the cert that you need to upload after you've uploaded the godaddy cert, or cert chain to tomcat trust so that you can upload the CSR they signed and it's not rejected.
At this point I am opening a TAC case. I spoke with Godaddy and they said they cannot take out the SAN of WWW.cucm.xxx.net which I believe is where my problem is coming from.
I finally got the answer to this riddle. When you generate your CSR for the tomcat remove the parent domain info. For instance: if you are cucm.xyz.com the distribution and common name would be cucm.xyz.com then by default it would enter xyz.com in the parent domain field.
If your CUCM is behind the firewall and your internal dns is xyz.local the CSR will never work. If you remove the parent domain info then generate your CSR it will work.
When you upload with Godaddy put the string, and intermediates into the tomcat trust first then put your cert into the tomcat.
In addition to what Jaime mentioned, in your certificate SAN, do you have a domain that is not public? If yes, Godaddy removes that domain when it signs the CSR and if that domain is not present in the signed certificate, Cisco UC apps rejects that signed cert.
No. The only things in the SAN are www.cucm.xxx.net and cucm.xxx.net
At this point I am thinking I should delete out all their certificates I have uploaded. Regenerate the CSR. Get new certificate from go daddy. and start all over. Maybe I loaded them in the wrong order to the wrong areas?
I cannot find a step by step doc that says exactly how to do this.
I am afraid if I remove them though I will kill phone communications or something because of certificate issues.
I take it that xxx.net is registered with go-daddy? If yes, then i would start fresh. Upload the root CA, then the intermediate to the tomcat-trust store and finally the signed cert to the tomcat hive. Do not delete your tomcat certificate but you can delete the Godaddy certificates under the tomcat-trust store. When you regenerate the CSR for tomcat, the tomcat cert will be regenerated as well after the signed cert is uploaded.. Good luck!
Couple things Go Daddy typically does not send the correct intermediates and roots so you have to download them from their alternate site.
I am still getting the CSR SAN and Certificate SAN do not match.
The only difference I can see is that my certificate has www.cucm.xxx.net and cucm.xxx.net and the CSR only had cucm.xxx.net
I am stumped.
For intermediate and roots, i open up the signed certificate and export it that way.
I have seen Go-daddy doing that with the SAN and a ticket with them usually resolves that issue.