[cisco-voip] CUCM / Unity 10.5 and Tomcat SAN SSL

Michael David mdavid at sps186.org
Fri Sep 11 16:58:10 EDT 2015 

For now I'm going to cross my fingers on the upper/lower case issue. Right now we're using 10.5(2)SU1.  

I started with Unity; changed the CN to "vunity.sps186.org <http://vunity.sps186.org/>" and let the SANs auto-populate with the pub/sub etc. Certs created fine, installed fine. Restarted tomcat, and now SSL is looking good when accessing the console. After a few minutes, Jabber connected without any errors (despite the fact that the config shows the IP rather than a hostname..)

Going to try the CUCM cluster now.

Thanks, Anthony and Ryan!

Michael


> On Sep 11, 2015, at 2:54 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com> wrote:
> 
> It was actually your session at Cisco Live this year Ryan, where I learned about MS certs and the suffix.  ;)  I pulled the slide deck up for reference a weeks ago when I was working with COMODO CA.
> 
> On Fri, Sep 11, 2015 at 2:30 PM Ryan Ratliff (rratliff) <rratliff at cisco.com <mailto:rratliff at cisco.com>> wrote:
> I just generated a Tomcat MS CSR without the -ms with no issue on 11.0. 
> 
> On the case thing as long as you are on the latest SU you should be fine.  There have been defects related to case validation on certs (CSCuu69964 for example) but you should be ok.
> 
> -Ryan
> 
> On Sep 11, 2015, at 1:49 PM, Michael David <mdavid at sps186.org <mailto:mdavid at sps186.org>> wrote:
> 
> Greetings,
> 
> When I generate the SAN CSRs, the server sets the common name to, for example, VUNITY1.sps186.org <http://vunity1.sps186.org/>-ms - the "-ms" being added automatically to the end.  All the SANs in the list correspond to the actual hostnames and domain name. Can I change this CN to remove the -ms?  GoDaddy isn't allowing the cert to be created because the CN isn't a FQDN.  Not sure if the CUCM/Unity stuff needs the -ms for its own uses.
> 
> Furthermore, our vendor set the hostnames to, for exmple, VUNITY1, VUCM1, etc rather than vunity1, vucm1.  GoDaddy changed the case from CSRs from the uppercase format to the lowercase format.  If the certs generate with the lowercase-only names, will they still function on the cluster with the cluster hostnames uppercase?
> 
> Thanks in advance,
> Michael
> 
> --
> Michael A. David, CCNA 
> Springfield Public Schools
> Technology Service Center
> 217.585.5802 ext. 85114
> 217.585.5809 (FAX)
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip <https://puck.nether.net/mailman/listinfo/cisco-voip>
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip <https://puck.nether.net/mailman/listinfo/cisco-voip>


--
Michael A. David, CCNA 
Springfield Public Schools
Technology Service Center
217.585.5802 ext. 85114
217.585.5809 (FAX)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150911/34bb75fc/attachment.html>

More information about the cisco-voip mailing list