[cisco-voip] Digicert Wildcard cert

daniel at ohnesorge.me daniel at ohnesorge.me
Thu Apr 7 18:17:35 EDT 2016 

Jose,

A few things to know; most wildcard certs from Verisign, GoDaddy etc. generate a key pair (private and public key) for you and send you a passphrase protected .pfx or .p12 file which can then be imported to IIS, Apache or any application (even Expressway for that matter). CUCM however does not allow private key import as it sees it a security risk and mandates that keys must be generated on CUCM via CSR. 

The next thing to know is how CUCM deals with changes between its CSR and the certificate. The rule is that the Common Name of the CSR doesn't have to match but the SAN entries must match. So if you generate a Multi-SAN certificate CSR, CUCM will automatically put all CUCM/CUPS nodes in the list and you/the CA are expected to ensure those entries match. Theoretically, the CA could change the Common Name to *.domain.com during signing and you could actually import it in to CUCM. The challenge here is a) finding a CA which allows distinct individual keys/certs for the same wildcard Common Name and b) finding a CA that allows multiple SAN entries although the Common Name is a wildcard.

You would be better off to work with the CA to refund the Wildcard certificate and swap it with a Multi-SAN product.

Sent from my iPhone

> On 8 Apr 2016, at 07:34, Ryan Huff <ryanhuff at outlook.com> wrote:
> 
> As far as I am aware, true wildcard certificates (*.domain.tld) are not supported with UCOS (despite whether they work or not).
> 
> Thanks,
> 
> Ryan
> 
> On Apr 7, 2016, at 5:30 PM, Jose Colon II <jcolon424 at gmail.com> wrote:
> 
>> After reading the numerous posts saying that the wildcard certs would work I purchased the wild card cert. Just wondering how people got them to work. 
>> 
>> Thanks
>> 
>>> On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff <ryanhuff at outlook.com> wrote:
>>> Jose,
>>> 
>>> I believe what you want are multi server (SAN) certificates for tomcat. You specify the distribution when generating the CSR.
>>> 
>>> Thanks,
>>> 
>>> Ryan
>>> 
>>> > On Apr 7, 2016, at 5:21 PM, Jose Colon II <jcolon424 at gmail.com> wrote:
>>> >
>>> > I have read a lot on forums that the digicert wildcard certs work great for UC apps as long as I am on 10.5 which I am.
>>> >
>>> > Can someone lay out the process of uploading these certs as I am having a hard time with them. What format do I need them. What cert goes where etc.
>>> >
>>> > Thanks in advance.
>>> >
>>> > Jose
>>> > _______________________________________________
>>> > cisco-voip mailing list
>>> > cisco-voip at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160408/6e210c73/attachment.html>

More information about the cisco-voip mailing list