[cisco-voip] Wildcard certificates
James Andrewartha
jandrewartha at ccgs.wa.edu.au
Fri Jun 19 00:55:45 EDT 2020
Hi voipers,
I'm trying to update the wildcard on our CUCM/IMP servers, and am
hitting a problem. We have a digicert wildcard, which I used
successfully before, but now when generating the certificate the UI
complains that *.ccgs.wa.edu.au isn't a valid certificate name or SAN. I
hacked the javascript to ignore this warning, and generated a CSR with
*.ccgs.wa.edu.au in the SAN:
$ openssl req -in tomcat\(8\).csr -text|grep DNS
DNS:callmanager1.voip.ccgs.wa.edu.au,
DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
DNS:speeddial.voip.ccgs.wa.edu.au, DNS:callmanager2.voip.ccgs.wa.edu.au,
DNS:voip.ccgs.wa.edu.au, DNS:callmanager.voip.ccgs.wa.edu.au,
DNS:presence.voip.ccgs.wa.edu.au
But when I try to upload the certificate to CUCM, it complains "CSR SAN
and Certificate SAN does not match". But the SANs on the certificate are
the same (albeit in a different order):
$ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
|grep DNS
DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
DNS:voip.ccgs.wa.edu.au, DNS:callmanager1.voip.ccgs.wa.edu.au,
DNS:callmanager2.voip.ccgs.wa.edu.au, DNS:speedidal.voip.ccgs.wa.edu.au,
DNS:callmanager.voip.ccgs.wa.edu.au, DNS:presence.voip.ccgs.wa.edu.au
I found
https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
from 2016 which says they got it working then, and I also got it working
in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au as the
common name and a SAN. But I can't get it working now. Anyone got any
thoughts? Running CUCM 10.5.2.15900-8
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
More information about the cisco-voip
mailing list