[cisco-voip] Recommendation For Certificate Provider For Jabber/Presence Use
Anthony Holloway
avholloway+cisco-voip at gmail.com
Thu Feb 5 14:33:08 EST 2015
Shoot, I wasn't clear enough in my last email. I meant to say:
iPhone Jabber clients (or iOS in general) will required public Trusted Root
CA signed certs for all internal servers as well. Otherwise, they will
still receive a pop up warning when connecting to CUCM, IM&P, CUC, etc.
On Thu Feb 05 2015 at 12:31:45 PM Heim, Dennis <Dennis.Heim at wwt.com> wrote:
> For those windows clients you can run the following:
>
> certutil -verify -urlfetch <Path-to-CUPS-tomcat-cert.cer>
>
> That should show why the certificate is failing validation. If you use an
> internal ca to sign your certs include the following subject alternative
> names:
> DNS:<FQDN>
> DNS:<Hostname>
> DNS:<IP-Address>
> IP:<IP-Address>
>
> I find that overkill usually helps certs validate.
>
> A few other things:
> -If using internal certificates, make sure that the AIA and CRL is
> published outside of Active Directory (aka via URL)
> -Make sure your template is supporting Server AND Client authentication.
>
> If you are using MRA, then the Expressway-E is the only entity the should
> require and external certificate.
>
> Hope this helps.
>
>
>
> Dennis Heim | Emerging Technology Architect (Collaboration)
> World Wide Technology, Inc. | +1 314-212-1814
>
>
> "Innovation happens on project squared" -- http://www.projectsquared.com
>
>
> -----Original Message-----
> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of
> Gary Parker
> Sent: Thursday, February 05, 2015 11:24 AM
> To: Cisco VoIP Group
> Subject: [cisco-voip] Recommendation For Certificate Provider For
> Jabber/Presence Use
>
> Hi folks, I’m in the process of replacing a load of self-signed certs on
> my 8.6.x CUCM, CUC and CUP servers.
>
> I’ve been having issues getting certs with the correct KeyUsage extensions
> from our current provider and wondered if anyone could recommend a company
> who can provide certificates that honour the requirements in the CSRs
> generated by the Cisco Unified Communications servers.
>
> I’m particularly interested in certificates that contain the
> "digitalSignature, nonRepudiation,keyEncipherment,dataEncipherment”
> extensions as per:
>
> http://blog.warcop.com/2015/01/22/cisco-jabber-certificate-warning-again/
>
> Jabber for Windows clients 9.2.5 and greater are flagging invalid
> certificates on our currently installed TERENA certificates.
>
> ---
> /-Gary Parker----------------------------------f--\
> | Unified Communications Service Manager |
> n Loughborough University IT Services |
> | Tel: +441509635635 Mob: +447989172258 o
> | http://delphium.lboro.ac.uk/pubkey.txt |
> \r----------------------------------------------d-/
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/6e62659b/attachment.html>
More information about the cisco-voip
mailing list