[cisco-voip] Wildcard certificates
James Andrewartha
jandrewartha at ccgs.wa.edu.au
Fri Jun 19 02:59:57 EDT 2020
It helps if I spell speeddial instead of speedidal 🙄
On 19/6/20 2:21 pm, Anthony Holloway wrote:
> I've got some thoughts, though, I've never done this before, so it's
> just guessing.
>
> You don't need *.domain.com <http://domain.com> in your SAN.
>
> Just generate your CSR on CUCM as if you were not using wildcard
> certificates. Then when you dupe your wildcard on digitcert's site,
> manually add the exact same SANs in your CSR.
>
> The resulting identity certificate will not have a CN which matches your
> CSR, but the SANs will match, and according to the thread you linked:
>
> /"The CN doesn't match but CUCM doesn't seem to care as long as the SAN
> fields line up."/
>
> On Thu, Jun 18, 2020 at 11:58 PM James Andrewartha
> <jandrewartha at ccgs.wa.edu.au <mailto:jandrewartha at ccgs.wa.edu.au>> wrote:
>
> Hi voipers,
>
> I'm trying to update the wildcard on our CUCM/IMP servers, and am
> hitting a problem. We have a digicert wildcard, which I used
> successfully before, but now when generating the certificate the UI
> complains that *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> isn't a
> valid certificate name or SAN. I
> hacked the javascript to ignore this warning, and generated a CSR with
> *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> in the SAN:
>
> $ openssl req -in tomcat\(8\).csr -text|grep DNS
> DNS:callmanager1.voip.ccgs.wa.edu.au
> <http://callmanager1.voip.ccgs.wa.edu.au>,
> DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>, DNS:ccgs.wa.edu.au
> <http://ccgs.wa.edu.au>,
> DNS:speeddial.voip.ccgs.wa.edu.au
> <http://speeddial.voip.ccgs.wa.edu.au>,
> DNS:callmanager2.voip.ccgs.wa.edu.au
> <http://callmanager2.voip.ccgs.wa.edu.au>,
> DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
> DNS:callmanager.voip.ccgs.wa.edu.au
> <http://callmanager.voip.ccgs.wa.edu.au>,
> DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
>
> But when I try to upload the certificate to CUCM, it complains "CSR SAN
> and Certificate SAN does not match". But the SANs on the certificate are
> the same (albeit in a different order):
>
> $ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
> |grep DNS
> DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
> DNS:ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
> DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
> DNS:callmanager1.voip.ccgs.wa.edu.au
> <http://callmanager1.voip.ccgs.wa.edu.au>,
> DNS:callmanager2.voip.ccgs.wa.edu.au
> <http://callmanager2.voip.ccgs.wa.edu.au>,
> DNS:speedidal.voip.ccgs.wa.edu.au
> <http://speedidal.voip.ccgs.wa.edu.au>,
> DNS:callmanager.voip.ccgs.wa.edu.au
> <http://callmanager.voip.ccgs.wa.edu.au>,
> DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
>
> I found
> https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
> from 2016 which says they got it working then, and I also got it working
> in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au
> <http://ccgs.wa.edu.au> as the
> common name and a SAN. But I can't get it working now. Anyone got any
> thoughts? Running CUCM 10.5.2.15900-8
>
> Thanks,
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
More information about the cisco-voip
mailing list