[cisco-voip] CUCM 11.5 Tomcat Service SSL Certificate Issue

[Gary Parker]

> On 16 May 2017, at 19:27, Charles Goldsmith <wokka at justfamily.org> wrote:
> 
> In addition to what Nate stated, the CCMCIP profile needs to be FQDN as well.
> 
> On Tue, May 16, 2017 at 1:21 PM, NateCCIE <nateccie at gmail.com> wrote:
> Are you using cuplogin or cisco-uds for discovery now?  If your UC services or system/server is not fqdn and is IP address then the client will complains about the cert unless the ip is listed as a SAN. If cup login make sure your tftp server is fqdn over in IM&P.

Charles/Nate we’re all fqdn throughout our UC infrastructure (have been since we first started using CA certs on Jabber) and using UDS. We’re also using expressways/MRA for off-site and telepresence. MRA logins, predictably, don’t give a certificate error as the expressway is present them correctly and, essentially, MITM’ing the connection to the CUCM/IM&P nodes.

Brian > curious one, that: browsers (at least Chrome and Safari in my testing) always show the full chain, even though it isn’t offered by the server. My more security minded colleagues believe this is because we use the same CA intermediate for many other servers throughout our enterprise and the browser caches them internally and reuses them. This caused a great deal of confusion initially as pointing a web browser at <server>:8443 always showed a correct and full certificate chain in Chrome but Jabber was complaining. It wasn’t until we started pointing openssl at the server and looking at the returned certificates that we realised something was amiss.

If I manually install the intermediate on a client, the problem goes away as the client can construct the full chain. My argument with TAC is that I shouldn’t have to do this, and that the tomcat server on CUCM should be presenting the full chain to any clients that connects, be it a browser, Jabber or RTMT (which also complains about an invalid certificate).

Gary