[cisco-voip] Very Strange SSL Issue...

[Joe Martini]

Do your certificates contain a Subject Alternate Name (SAN)?  Are you trying to access the servers using a name that is one of the alternate names?  If an alternate name exists in the certificate the browser will only display the page as trusted if you are accessing one of the alternate names (RFC3280 - section 4.2.1.7), the common and or subject name is ignored.  There’s a bug for CUCM not copying the common name (CN) or subject name of the certificate into the SAN field automatically which may be causing your problem (CSCus47235).

If you don’t have alternate names, the next most common issue I’ve seen is that different browsers use different certificate stores (locations) for looking up if the root/intermediate certificates are trusted.  The root/intermediate has to be added to the correct certificate store in that case (browser local cert store, or operating system cert store).

Joe 


On May 20, 2015, at 1:31 PM, Matthew Loraditch <MLoraditch at heliontechnologies.com> wrote:

Has anyone ever seen where you put a cert on CUCM/CUCXN/IM&P and the Subject name matches but your browser insists it doesn’t? I can’t figure this out. I checked as best I could for spaces like mentioned in Lelio’s recent thread about a CSR and I have no indication of that.
 
I honestly don’t have a clue where to go, it’s not really a server issue as the server is just presenting the cert I installed, but I have it on both UCxn and CCM/IM&P. I can’t believe I put an errant space on both servers…
 
Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518

Facebook | Twitter | LinkedIn | G+
 
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150521/5779bbd9/attachment.html>