[cisco-voip] CSR Information

Cisco Google ciscojonnyp at gmail.com
Tue May 5 10:15:21 EDT 2015 

As mentioned, I would use the show web-security command and check what you have in the SubjectAltName.
If i remember correctly, changing it using the set web-security requires you to fill the (Org Unit, The Org, Location,state,country) then you add the new Alternate name.
Changing incorrectly can lead to the license being invalidated.



> On 4 May 2015, at 17:00, cisco-voip-request at puck.nether.net wrote:
> 
> Send cisco-voip mailing list submissions to
> 	cisco-voip at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://puck.nether.net/mailman/listinfo/cisco-voip
> or, via email, send a message with subject or body 'help' to
> 	cisco-voip-request at puck.nether.net
> 
> You can reach the person managing the list at
> 	cisco-voip-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-voip digest..."
> 
> 
> Today's Topics:
> 
>   1. CSR Information (Leslie Meade)
>   2. Re: CSR Information (James Buchanan)
>   3. Re: CSR Information (Leslie Meade)
>   4. Re: CSR Information (Brian Meade)
>   5. Re: QOS - Looking for another set of eyeballs (Rob Dawson)
>   6. Certificates expires - what happens next? (Reto Gassmann)
>   7. Re: Certificates expires - what happens next? (Jason Aarons (AM))
>   8. Re: Certificates expires - what happens next? (0703Manjunath)
>   9. Re: Certificates expires - what happens next? (0703Manjunath)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 4 May 2015 14:13:08 +0000
> From: Leslie Meade <Leslie.Meade at lvs1.com>
> To: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: [cisco-voip] CSR Information
> Message-ID: <1430748787033.81773 at lvs1.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> I am exporting the Tomcast certs and i have checked it against a CSR checker to make sure that everything is good before i submit the CSR.
> 
> But I am getting a "," in my Subject Alternative Name.
> 
> 
> For example
> 
> 
> Subject Alternative Name: , ca.forces.net
> 
> 
> There is a comma in the subject feild and I do not know where to fix it. I have checked the web-security and there seems to be nothing funny there.
> 
> 
> https://www.sslshopper.com/csr-decoder.html,
> 
> 
> 
> Leslie
> 
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/bb2a4074/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 4 May 2015 10:15:57 -0400
> From: James Buchanan <james.buchanan2 at gmail.com>
> To: Leslie Meade <Leslie.Meade at lvs1.com>
> Cc: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] CSR Information
> Message-ID:
> 	<CAOMgg-+KQkrDzyW8DzMJQ3JUYv_pQcGcPX=kvqAn5L8DwYPg3Q at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Check the parent domain field and see if a space has made it's way into it.
> 
> On Mon, May 4, 2015 at 10:13 AM, Leslie Meade <Leslie.Meade at lvs1.com> wrote:
> 
>> I am exporting the Tomcast certs and i have checked it against a CSR
>> checker to make sure that everything is good before i submit the CSR.
>> 
>> But I am getting a "," in my Subject Alternative Name.
>> 
>> 
>> For example
>> 
>> 
>> Subject Alternative Name: , ca.forces.net
>> 
>> 
>> There is a comma in the subject feild and I do not know where to fix it.
>> I have checked the web-security and there seems to be nothing funny there.
>> 
>> 
>> https://www.sslshopper.com/csr-decoder.html,
>> 
>> 
>> 
>> Leslie
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/25949fbc/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 4 May 2015 14:19:32 +0000
> From: Leslie Meade <Leslie.Meade at lvs1.com>
> To: James Buchanan <james.buchanan2 at gmail.com>
> Cc: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] CSR Information
> Message-ID: <1430749171070.50513 at lvs1.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Nope that's not it. i checked that as well
> 
> 
> ________________________________
> From: James Buchanan <james.buchanan2 at gmail.com>
> Sent: Monday, May 4, 2015 7:15 AM
> To: Leslie Meade
> Cc: cisco-voip (cisco-voip at puck.nether.net)
> Subject: Re: [cisco-voip] CSR Information
> 
> Check the parent domain field and see if a space has made it's way into it.
> 
> On Mon, May 4, 2015 at 10:13 AM, Leslie Meade <Leslie.Meade at lvs1.com<mailto:Leslie.Meade at lvs1.com>> wrote:
> 
> I am exporting the Tomcat certs and i have checked it against a CSR checker to make sure that everything is good before i submit the CSR.
> 
> But I am getting a "," in my Subject Alternative Name.
> 
> 
> For example
> 
> 
> Subject Alternative Name: , ca.forces.net<http://ca.forces.net>
> 
> 
> There is a comma in the subject feild and I do not know where to fix it. I have checked the web-security and there seems to be nothing funny there.
> 
> 
> https://www.sslshopper.com/csr-decoder.html,
> 
> 
> 
> Leslie
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/d448d26e/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 4 May 2015 10:41:17 -0400
> From: Brian Meade <bmeade90 at vt.edu>
> To: Leslie Meade <Leslie.Meade at lvs1.com>
> Cc: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] CSR Information
> Message-ID:
> 	<CAGcuYh1jYxpkCDkBOZW2p2buxwbvMS2gFRo7fLndPAXCYW-EzA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> You could do another "set web-security" and go through it to make sure no
> one added a comma before the SAN then create another CSR.
> 
> On Mon, May 4, 2015 at 10:13 AM, Leslie Meade <Leslie.Meade at lvs1.com> wrote:
> 
>> I am exporting the Tomcast certs and i have checked it against a CSR
>> checker to make sure that everything is good before i submit the CSR.
>> 
>> But I am getting a "," in my Subject Alternative Name.
>> 
>> 
>> For example
>> 
>> 
>> Subject Alternative Name: , ca.forces.net
>> 
>> 
>> There is a comma in the subject feild and I do not know where to fix it.
>> I have checked the web-security and there seems to be nothing funny there.
>> 
>> 
>> https://www.sslshopper.com/csr-decoder.html,
>> 
>> 
>> 
>> Leslie
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/91d39277/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 4 May 2015 14:59:56 +0000
> From: Rob Dawson <rdawson at force3.com>
> To: Ryan Huff <ryanhuff at outlook.com>
> Cc: "cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] QOS - Looking for another set of eyeballs
> Message-ID:
> 	<E7C1EF44B801B44FBCD9A042718D70135B1725E8 at CRO-EXCH01.FORCE3.CORP>
> Content-Type: text/plain; charset="windows-1252"
> 
> The UCCX SRND states that ?Unified CCX software does not mark any network packet, so ensure that you mark the traffic at the network edge routers?, so that traffic is likely not marked EF and would therefore not match the class-map, unless you are classifying it somewhere else?
> 
> Rob
> 
> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Huff
> Sent: Monday, May 04, 2015 8:13 AM
> To: Ed Leatherman
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] QOS - Looking for another set of eyeballs
> 
> Ed,
> 
> Thanks for the reply. Yes it is the intent to match ef and ACL 51. The access list contains a /24 of servers for UCCE/UCCX products. I thought an ACL to be easier than trying to match vXML/CVP traffic inside of HTTP traffic.
> 
> Thanks for the second set of eyes.
> 
> -r
> 
> ________________________________
> Date: Mon, 4 May 2015 07:53:32 -0400
> Subject: Re: [cisco-voip] QOS - Looking for another set of eyeballs
> From: ealeatherman at gmail.com<mailto:ealeatherman at gmail.com>
> To: ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>
> CC: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> Ryan,
> 
> The match-all keyword in your class-map VOICE is going to cause it to only match things that are BOTH EF marked AND match acl-51 - I couldn't tell from your initial email if that was your intent. If you want just either type of traffic to get the VOICE treatment then you need match-any.
> 
> Also agree with John re: using priority instead so that it kicks in LLQ for those packets.
> 
> On Sat, May 2, 2015 at 9:55 AM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
> The below OUT map, applied in the output direction on a WAN(mpls) facing interface, should put RTP, Signaling and anything from access-list 51 at the top of the heap and give everything else best effort.
> 
> Not that anything isn't working, I just want to make sure I'm not making something up ... etc. Seems basic but I don't get to play with QOS everyday :)
> 
> router-3925#sh run | sec class-map|policy-map|access-list 51
> !
> !
> class-map match-all VOICE
> match ip dscp ef
> match access-group 51
> class-map match-any CALL-SIGNALING
> match ip dscp cs3
> match ip dscp af31
> !
> !
> policy-map WAN-OUT
> class VOICE
>  bandwidth percent 30
> class CALL-SIGNALING
>  bandwidth percent 10
> class class-default
>  fair-queue
> !
> !
> access-list 51 permit 001.002.003.004 0.0.0.255
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> 
> 
> --
> Ed Leatherman
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/5c41c2f6/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 6
> Date: Mon, 4 May 2015 17:09:53 +0200
> From: Reto Gassmann <voip at mrga.ch>
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] Certificates expires - what happens next?
> Message-ID:
> 	<CAL4H0Z6LacKckOQSxPc_u2Yx7z08q71nS9wfLrkSuksohnXkNg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hello Group
> 
> I am just curious what happens, when certificates on an CUCM cluster
> expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS
> server.
> 
> What happens if one or all of the following certificates expire:
> CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust
> certificates.
> 
> Will the UCM cluster stop working, DB replication issues or will I have
> error messages on the phones?
> 
> Thanks for your thoughts
> Regards Reto
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/7d620d98/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 7
> Date: Mon, 4 May 2015 15:13:36 +0000
> From: "Jason Aarons (AM)" <jason.aarons at dimensiondata.com>
> To: Reto Gassmann <voip at mrga.ch>, "cisco-voip at puck.nether.net"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] Certificates expires - what happens next?
> Message-ID:
> 	<2EB6888CFB98614EA7384BEB9AF8B382171C8520 at usispsvexdb03.na.didata.local>
> 	
> Content-Type: text/plain; charset="utf-8"
> 
> Ipsec stop db replication ?
> 
> You?ll want to regenerate etc during a maintenance window.
> 
> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Reto Gassmann
> Sent: Monday, May 4, 2015 11:10 AM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] Certificates expires - what happens next?
> 
> 
> 
> Hello Group
> 
> 
> I am just curious what happens, when certificates on an CUCM cluster expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS server.
> 
> 
> What happens if one or all of the following certificates expire: CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust certificates.
> 
> 
> Will the UCM cluster stop working, DB replication issues or will I have error messages on the phones?
> 
> 
> Thanks for your thoughts
> Regards Reto
> 
> 
> itevomcid
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/27cd80f1/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 8
> Date: Mon, 4 May 2015 20:48:03 +0530
> From: 0703Manjunath <winmanjunath at gmail.com>
> To: Reto Gassmann <voip at mrga.ch>
> Cc: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] Certificates expires - what happens next?
> Message-ID:
> 	<CAJJqyqQtC+LFgMJCN+8_URFz+XKFAV1qfFNCuEGqXcdHtS6Ymg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Reto , the case would be with replication issues. Also , you will have to
> re-generate the certificate  on pub & upload the same to sub after expiry
> of current .
> 
> I have delt with certificate issue with 9.x cucm as given above.
> See if this helps you.
> 
> cheers
> 
> On Mon, May 4, 2015 at 8:39 PM, Reto Gassmann <voip at mrga.ch> wrote:
> 
>> Hello Group
>> 
>> I am just curious what happens, when certificates on an CUCM cluster
>> expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS
>> server.
>> 
>> What happens if one or all of the following certificates expire:
>> CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust
>> certificates.
>> 
>> Will the UCM cluster stop working, DB replication issues or will I have
>> error messages on the phones?
>> 
>> Thanks for your thoughts
>> Regards Reto
>> 
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
>> 
> 
> 
> -- 
> Thanks & Regards
>   Manjunath
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/b15f93e5/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 9
> Date: Mon, 4 May 2015 20:49:33 +0530
> From: 0703Manjunath <winmanjunath at gmail.com>
> To: Reto Gassmann <voip at mrga.ch>
> Cc: "cisco-voip (cisco-voip at puck.nether.net)"
> 	<cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] Certificates expires - what happens next?
> Message-ID:
> 	<CAJJqyqSZTA5pu-92uU+HU8qYaU_62MwzA5_9uA24m1H5G+_MGw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> after above step. you will have to restart the cluster
> 
> On Mon, May 4, 2015 at 8:48 PM, 0703Manjunath <winmanjunath at gmail.com>
> wrote:
> 
>> Reto , the case would be with replication issues. Also , you will have to
>> re-generate the certificate  on pub & upload the same to sub after expiry
>> of current .
>> 
>> I have delt with certificate issue with 9.x cucm as given above.
>> See if this helps you.
>> 
>> cheers
>> 
>> On Mon, May 4, 2015 at 8:39 PM, Reto Gassmann <voip at mrga.ch> wrote:
>> 
>>> Hello Group
>>> 
>>> I am just curious what happens, when certificates on an CUCM cluster
>>> expire. We run a UCM cluster 9.1.2 in Mix Mode with 8 UCM server and 2 CUPS
>>> server.
>>> 
>>> What happens if one or all of the following certificates expire:
>>> CallManager.pem, ipsec.pem, tomcat.pem or CAPF.pem and the according -trust
>>> certificates.
>>> 
>>> Will the UCM cluster stop working, DB replication issues or will I have
>>> error messages on the phones?
>>> 
>>> Thanks for your thoughts
>>> Regards Reto
>>> 
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> 
>>> 
>> 
>> 
>> --
>> Thanks & Regards
>>   Manjunath
>> 
> 
> 
> 
> -- 
> Thanks & Regards
>   Manjunath
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150504/0fe08a39/attachment-0001.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> 
> ------------------------------
> 
> End of cisco-voip Digest, Vol 139, Issue 5
> ******************************************

More information about the cisco-voip mailing list