[cisco-voip] Wildcard certificates

Charles Goldsmith w at woka.us
Fri Jun 19 01:51:15 EDT 2020


It has never been supported, so, if you run into any issues and TAC sees
it, they may tell you to remove it, just FYI.

Given that, with Digicert, can you duplicate a wildcard cert, like you can
a Multi-San?

On Thu, Jun 18, 2020 at 11:57 PM James Andrewartha <
jandrewartha at ccgs.wa.edu.au> wrote:

> Hi voipers,
>
> I'm trying to update the wildcard on our CUCM/IMP servers, and am
> hitting a problem. We have a digicert wildcard, which I used
> successfully before, but now when generating the certificate the UI
> complains that *.ccgs.wa.edu.au isn't a valid certificate name or SAN. I
> hacked the javascript to ignore this warning, and generated a CSR with
> *.ccgs.wa.edu.au in the SAN:
>
> $ openssl req -in tomcat\(8\).csr -text|grep DNS
>                 DNS:callmanager1.voip.ccgs.wa.edu.au,
> DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
> DNS:speeddial.voip.ccgs.wa.edu.au, DNS:callmanager2.voip.ccgs.wa.edu.au,
> DNS:voip.ccgs.wa.edu.au, DNS:callmanager.voip.ccgs.wa.edu.au,
> DNS:presence.voip.ccgs.wa.edu.au
>
> But when I try to upload the certificate to CUCM, it complains "CSR SAN
> and Certificate SAN does not match". But the SANs on the certificate are
> the same (albeit in a different order):
>
> $ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
> |grep DNS
>                 DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
> DNS:voip.ccgs.wa.edu.au, DNS:callmanager1.voip.ccgs.wa.edu.au,
> DNS:callmanager2.voip.ccgs.wa.edu.au, DNS:speedidal.voip.ccgs.wa.edu.au,
> DNS:callmanager.voip.ccgs.wa.edu.au, DNS:presence.voip.ccgs.wa.edu.au
>
> I found
>
> https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
> from 2016 which says they got it working then, and I also got it working
> in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au as the
> common name and a SAN. But I can't get it working now. Anyone got any
> thoughts? Running CUCM 10.5.2.15900-8
>
> Thanks,
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200619/3d8ce471/attachment.htm>


More information about the cisco-voip mailing list