[cisco-voip] CUCM Certificate question

Nate VanMaren VanMarenNP at ldschurch.org
Wed Dec 5 13:29:26 EST 2012


You can set it here, but I don't know if I've seen the SANs(alternatehostname) used when generating the CSR, I think I've only seen them used with the self signed cert.

admin:set web-security ?
Syntax:
set web-security orgunit orgname locality state
orgunit  mandatory   organizational unit
orgname  mandatory   organizational name
locality mandatory   location of organization
state    mandatory   state of organization
country  optional   country code can not be changed
alternatehostname  optional   alternate host name

In the screen shots, I include the text to add the SANs that you want for the cert.  I believe in the cases of a Unity Connection server, you need to include the cluster SANs as well, because this overwrites the SANs in the CSR. (I think)

-Nate


From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Nate VanMaren
Sent: Wednesday, December 05, 2012 11:11 AM
To: Erick Wellnitz; cisco-voip
Subject: Re: [cisco-voip] CUCM Certificate question


Generate CSR from OS Administration



[Machine generated alternative text: Generate CSR  :6 Generate Certificate Signing Request - Windows Internet Explorer S  Generate Certificate Signing Request  Generate CSR Close  Status  r® Success: Certificate Signing Request Generated  r Generate certificate Signing Request  Lrtificate Name* tomcat w  - [ Generate CSR j [ Close j  n]



Download the CSR

[Machine generated alternative text: Download CSR  Download Certificate Signing Request - Windows Internet Explorer  Download Certificate Signing Request 7'  Download CSR Close  Status  Certificate names not listed below do not have a corresponding CSR  r Download Certificate Signing Request  [ Certificate Name* tomcat  _________________ [ Close]



Login to your CA



[Machine generated alternative text: Select a task:  Reauest a certificate]



Then:

[Machine generated alternative text: Submit a certificate request by using a base-64-encoded CMC or  PKCS #10 file, or submit a renewal request by using a base-64-  encoded PKCS #7 file.]

Paste the contents of the CSR in the request area.

Select Web Server

Put in the additional Attributes for the SAN, IP, short and long hostname, and cluster name for load balanace

san:dns=5.5.5.5&dns=asiavp1&dns=asiavp1.ldschurch.org&dns=asiavp&dns=asiavp.ldschurch.org



[Machine generated alternative text: Submit a Certificate Request or Renewal Request  To submit a saved request to the CA, paste a base-64-encoded CMC or P  generated by an external source (such as a Web server) in the Saved Requ  Saved Request:  A6VvFrULJIisGTxYmAwnkOmfWðlVaN6SOIPOytx/ a  Base-64-encoded F5 sovø fhJAtntinGCVg4HEFB+GJslpH6x/U+4n6W  certificate request a2 j xnpsbp 6GcdDlXnxa4 lLFWrsXðygoTtZrlpI 3m  (CMC or B1LBjEpMA1VvnWRtrn]ctCug=  PKCS #10 or END CERTIFICATE REQUEST [i  PKCS #7): _____  ,,, I.  Certificate Template:  Web Server  'r  Additional Attributes:  siavm&dnsasiavm. ldschurch. org  Attributes:  4 n,  Submit>]



Download the Cert Chain.

[Machine generated alternative text: e DEP encoded or Base 64 encoded  *.. Download certificate  Download certificate chain]



Upload to CM

[Machine generated alternative text: Upload Certif icateftDertif icate chain Generate CSR Download CSR  é Upload Certificate/Certificate chain - Windows Internet Explorer  Uplodd Certificdte/Certificdte chdin g - r  Upload File Close  Status  Status: Ready  Upload Certificate/Certificate chain  Certificate Name* tomcat  Description jself-signed certificate  Upload File C:\tftp\asiavpl,p7b __________  - [ Upload File ] [ Close j]


From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Erick Wellnitz
Sent: Wednesday, December 05, 2012 9:24 AM
To: cisco-voip
Subject: [cisco-voip] CUCM Certificate question

CUCM 8.6.2
MS internal certificate services

What I need to do is generate a certificate with three subject alternative names.  So far, I haven't been able to get my generated cert to work.  The self signed cert is still being used.  Anyone ever made this kind of thing work?  I have had it working by using the csr but that doesn't allow me to add the needed SANs.

Any ideas would be much appreciated!


NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.


 NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19107 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 18990 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1033 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3102 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 28800 bytes
Desc: image005.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 3647 bytes
Desc: image006.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 23354 bytes
Desc: image007.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20121205/65e1388c/attachment-0006.png>


More information about the cisco-voip mailing list