[cisco-voip] CUCM / Unity 10.5 and Tomcat SAN SSL

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Sep 11 17:25:41 EDT 2015 

If you don't want Jabber to throw a cert warning, you're going to need to
change all IP addresses referenced liked that to FQDN. you can change the
CUC one inside of CUCM under User Mgmt > User Settings > UC Service.

On Fri, Sep 11, 2015 at 3:58 PM Michael David <mdavid at sps186.org> wrote:

> For now I'm going to cross my fingers on the upper/lower case issue. Right
> now we're using 10.5(2)SU1.
>
> I started with Unity; changed the CN to "vunity.sps186.org" and let the
> SANs auto-populate with the pub/sub etc. Certs created fine, installed
> fine. Restarted tomcat, and now SSL is looking good when accessing the
> console. After a few minutes, Jabber connected without any errors (despite
> the fact that the config shows the IP rather than a hostname..)
>
> Going to try the CUCM cluster now.
>
> Thanks, Anthony and Ryan!
>
> Michael
>
>
> On Sep 11, 2015, at 2:54 PM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> It was actually your session at Cisco Live this year Ryan, where I learned
> about MS certs and the suffix.  ;)  I pulled the slide deck up for
> reference a weeks ago when I was working with COMODO CA.
>
> On Fri, Sep 11, 2015 at 2:30 PM Ryan Ratliff (rratliff) <
> rratliff at cisco.com> wrote:
>
>> I just generated a Tomcat MS CSR without the -ms with no issue on 11.0.
>>
>> On the case thing as long as you are on the latest SU you should be
>> fine.  There have been defects related to case validation on certs
>> (CSCuu69964 for example) but you should be ok.
>>
>> -Ryan
>>
>> On Sep 11, 2015, at 1:49 PM, Michael David <mdavid at sps186.org> wrote:
>>
>> Greetings,
>>
>> When I generate the SAN CSRs, the server sets the common name to, for
>> example, VUNITY1.sps186.org <http://vunity1.sps186.org/>-ms - the "-ms"
>> being added automatically to the end.  All the SANs in the list correspond
>> to the actual hostnames and domain name. Can I change this CN to remove the
>> -ms?  GoDaddy isn't allowing the cert to be created because the CN isn't a
>> FQDN.  Not sure if the CUCM/Unity stuff needs the -ms for its own uses.
>>
>> Furthermore, our vendor set the hostnames to, for exmple, VUNITY1, VUCM1,
>> etc rather than vunity1, vucm1.  GoDaddy changed the case from CSRs from
>> the uppercase format to the lowercase format.  If the certs generate with
>> the lowercase-only names, will they still function on the cluster with the
>> cluster hostnames uppercase?
>>
>> Thanks in advance,
>> Michael
>>
>> --
>> Michael A. David, CCNA
>> Springfield Public Schools
>> Technology Service Center
>> 217.585.5802 ext. 85114
>> 217.585.5809 (FAX)
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
> --
> Michael A. David, CCNA
> Springfield Public Schools
> Technology Service Center
> 217.585.5802 ext. 85114
> 217.585.5809 (FAX)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150911/d91f6f3e/attachment.html>

More information about the cisco-voip mailing list