Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CUCM 10.5 Security Certificates For Jabber

I have deployed Jabber 10.5 on our devices (PC, IPhone, IPAD, Android) They all work inside the office and I have them working outside the office with our express core and edge. 

The jabber client keeps coming up and asking to confirm certificates.  I know this is because I need authentic third party certs.

 

So I went to Go daddy and got all my SSL certs. 

CUCM.xxx.net

CUPS.xxx.net

VCSc.xxx.net

vcse.xxx.net

 

Here is the issue.

I uploaded all these certs to the devices.  Express Core and edge are all good. 

I uploaded the certs to CUCM and CUPS to the tomcat-trust along with the intermediate

They show up in the list but are not used for some reason.  When I setup a jabber client or go to the web GUI it still shows the self signed cert. 

I have restarted the services etc... 

I also notice that the tomcat-trust has four differ net certificates.  How does it know which one to use?

What am I doing wrong or missing here?

 

Everyone's tags (1)
10 REPLIES
Cisco Employee

Have you actually uploaded

Have you actually uploaded the tomcat cert???

You only mention the tomcat-trust, that one is no the actual certificate that will be used.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Yes.When I do it always gives

Yes.

When I do it always gives me this error (see Capture).  I have generated the CSR and used that request to get the certificate.

Under certificate manager I have two listings

Tomcat    cucm.xxx.net   CSR only

Tomcat cucm.xxx.net   Self signed

 

 

Cisco Employee

Then there's your problem,

Then there's your problem, that's the cert that you need to upload after you've uploaded the godaddy cert, or cert chain to tomcat trust so that you can upload the CSR they signed and it's not rejected.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

At this point I am opening a

At this point I am opening a TAC case.  I spoke with Godaddy and they said they cannot take out the SAN of WWW.cucm.xxx.net which I believe is where my problem is coming from. 

New Member

I finally got the answer to

I finally got the answer to this riddle.  When you generate your CSR for the tomcat remove the parent domain info.  For instance: if you are cucm.xyz.com the distribution and common name would be cucm.xyz.com then by default it would enter xyz.com in the parent domain field.

 

If your CUCM is behind the firewall and your internal dns is xyz.local the CSR will never work. If you remove the parent domain info then generate your CSR it will work.

When you upload with Godaddy put the string, and intermediates into the tomcat trust first then put your cert into the tomcat.

 

 

In addition to what Jaime

In addition to what Jaime mentioned, in your certificate SAN, do you have a domain that is not public? If yes, Godaddy removes that domain when it signs the CSR and if that domain is not present in the signed certificate, Cisco UC apps rejects that signed cert. 

Please rate useful posts.
New Member

No.  The only things in the

No.  The only things in the SAN are www.cucm.xxx.net and cucm.xxx.net

At this point I am thinking I should delete out all their certificates I have uploaded. Regenerate the CSR. Get new certificate from go daddy. and start all over.  Maybe I loaded them in the wrong order to the wrong areas? 

I cannot find a step by step doc that says exactly how to do this. 

 

I am afraid if I remove them though I will kill phone communications or something because of certificate issues.

 

 

I take it that xxx.net is

I take it that xxx.net is registered with go-daddy? If yes, then i would start fresh. Upload the root CA, then the intermediate to the tomcat-trust store and finally the signed cert to the tomcat hive. Do not delete your tomcat certificate but you can delete the Godaddy certificates under the tomcat-trust store. When you regenerate the CSR for tomcat, the tomcat cert will be regenerated as well after the signed cert is uploaded.. Good luck!

 

Please rate useful posts.
New Member

So... Couple things  Go Daddy

So... 

Couple things  Go Daddy typically does not send the correct intermediates and roots so you have to download them from their alternate site. 

I am still getting the CSR SAN and Certificate SAN do not match. 

The only difference I can see is that my certificate has www.cucm.xxx.net and cucm.xxx.net and the CSR only had cucm.xxx.net

I am stumped.

For intermediate and roots, i

For intermediate and roots, i open up the signed certificate and export it that way. 

I have seen Go-daddy doing that with the SAN and a ticket with them usually resolves that issue.

Please rate useful posts.
1448
Views
7
Helpful
10
Replies
CreatePlease to create content