[cisco-voip] Wildcard certificates

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Jun 19 02:21:11 EDT 2020 

I've got some thoughts, though, I've never done this before, so it's just
guessing.

You don't need *.domain.com in your SAN.

Just generate your CSR on CUCM as if you were not using wildcard
certificates.  Then when you dupe your wildcard on digitcert's site,
manually add the exact same SANs in your CSR.

The resulting identity certificate will not have a CN which matches your
CSR, but the SANs will match, and according to the thread you linked:

*"The CN doesn't match but CUCM doesn't seem to care as long as the SAN
fields line up."*

On Thu, Jun 18, 2020 at 11:58 PM James Andrewartha <
jandrewartha at ccgs.wa.edu.au> wrote:

> Hi voipers,
>
> I'm trying to update the wildcard on our CUCM/IMP servers, and am
> hitting a problem. We have a digicert wildcard, which I used
> successfully before, but now when generating the certificate the UI
> complains that *.ccgs.wa.edu.au isn't a valid certificate name or SAN. I
> hacked the javascript to ignore this warning, and generated a CSR with
> *.ccgs.wa.edu.au in the SAN:
>
> $ openssl req -in tomcat\(8\).csr -text|grep DNS
>                 DNS:callmanager1.voip.ccgs.wa.edu.au,
> DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
> DNS:speeddial.voip.ccgs.wa.edu.au, DNS:callmanager2.voip.ccgs.wa.edu.au,
> DNS:voip.ccgs.wa.edu.au, DNS:callmanager.voip.ccgs.wa.edu.au,
> DNS:presence.voip.ccgs.wa.edu.au
>
> But when I try to upload the certificate to CUCM, it complains "CSR SAN
> and Certificate SAN does not match". But the SANs on the certificate are
> the same (albeit in a different order):
>
> $ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
> |grep DNS
>                 DNS:*.ccgs.wa.edu.au, DNS:ccgs.wa.edu.au,
> DNS:voip.ccgs.wa.edu.au, DNS:callmanager1.voip.ccgs.wa.edu.au,
> DNS:callmanager2.voip.ccgs.wa.edu.au, DNS:speedidal.voip.ccgs.wa.edu.au,
> DNS:callmanager.voip.ccgs.wa.edu.au, DNS:presence.voip.ccgs.wa.edu.au
>
> I found
>
> https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
> from 2016 which says they got it working then, and I also got it working
> in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au as the
> common name and a SAN. But I can't get it working now. Anyone got any
> thoughts? Running CUCM 10.5.2.15900-8
>
> Thanks,
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200619/aafb8275/attachment.htm>

More information about the cisco-voip mailing list