[cisco-voip] Digicert Wildcard certificates

Heim, Dennis Dennis.Heim at wwt.com
Wed Jul 15 14:16:26 EDT 2015


If you have not seen the Cisco Live session on collab security I would definitely recommend it. It had some good discussion on certificates. Based on that Wildcard certs will never be supported on CUCM and the like and are frowned upon within the security community.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat]<xmpp:dennis.heim at wwt.com>[Phone]<tel:+13142121814>[video]<sip:dennis.heim at wwt.com>
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: Eric Pedersen [mailto:PedersenE at bennettjones.com]
Sent: Wednesday, July 15, 2015 12:51 PM
To: Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
Subject: RE: [cisco-voip] Digicert Wildcard certificates

Good point. I spoke too soon: we use wildcard certificates on VCS-E and WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard certificates either but everything seems to work provided the hostnames are configured as SANs. CUCM might be the same with the multi-server certificate but I haven’t tried.

From: Anthony Holloway [mailto:avholloway+cisco-voip at gmail.com]
Sent: 15 July 2015 10:43 AM
To: Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates

I'm a little confused here.  According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported.  Are we talking about the same thing here?

On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>> wrote:
Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Heim, Dennis
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP

Subject: Re: [cisco-voip] Digicert Wildcard certificates

I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat][Phone]<tel:+13142121814>[video]
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ian Anderson

Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates


On 15 July 2015 at 15:02, NateCCIE <nateccie at gmail.com<mailto:nateccie at gmail.com>> wrote:
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,

Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(

Cheers

Ian


The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/c3a41bcd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3876 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/c3a41bcd/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1389 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/c3a41bcd/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1292 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/c3a41bcd/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1391 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150715/c3a41bcd/attachment-0003.png>


More information about the cisco-voip mailing list