[cisco-voip] Wildcard certificates
NateCCIE
nateccie at gmail.com
Fri Jun 19 08:53:32 EDT 2020
Yeah. In my experience, the cert can have as many extra sans as you want, but all of the sans the cucm csr has have to be there, and spelled correctly.
Sent from my iPhone
> On Jun 19, 2020, at 1:02 AM, James Andrewartha <jandrewartha at ccgs.wa.edu.au> wrote:
>
> It helps if I spell speeddial instead of speedidal 🙄
>
>> On 19/6/20 2:21 pm, Anthony Holloway wrote:
>> I've got some thoughts, though, I've never done this before, so it's
>> just guessing.
>>
>> You don't need *.domain.com <http://domain.com> in your SAN.
>>
>> Just generate your CSR on CUCM as if you were not using wildcard
>> certificates. Then when you dupe your wildcard on digitcert's site,
>> manually add the exact same SANs in your CSR.
>>
>> The resulting identity certificate will not have a CN which matches your
>> CSR, but the SANs will match, and according to the thread you linked:
>>
>> /"The CN doesn't match but CUCM doesn't seem to care as long as the SAN
>> fields line up."/
>>
>> On Thu, Jun 18, 2020 at 11:58 PM James Andrewartha
>> <jandrewartha at ccgs.wa.edu.au <mailto:jandrewartha at ccgs.wa.edu.au>> wrote:
>>
>> Hi voipers,
>>
>> I'm trying to update the wildcard on our CUCM/IMP servers, and am
>> hitting a problem. We have a digicert wildcard, which I used
>> successfully before, but now when generating the certificate the UI
>> complains that *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> isn't a
>> valid certificate name or SAN. I
>> hacked the javascript to ignore this warning, and generated a CSR with
>> *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> in the SAN:
>>
>> $ openssl req -in tomcat\(8\).csr -text|grep DNS
>> DNS:callmanager1.voip.ccgs.wa.edu.au
>> <http://callmanager1.voip.ccgs.wa.edu.au>,
>> DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>, DNS:ccgs.wa.edu.au
>> <http://ccgs.wa.edu.au>,
>> DNS:speeddial.voip.ccgs.wa.edu.au
>> <http://speeddial.voip.ccgs.wa.edu.au>,
>> DNS:callmanager2.voip.ccgs.wa.edu.au
>> <http://callmanager2.voip.ccgs.wa.edu.au>,
>> DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
>> DNS:callmanager.voip.ccgs.wa.edu.au
>> <http://callmanager.voip.ccgs.wa.edu.au>,
>> DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
>>
>> But when I try to upload the certificate to CUCM, it complains "CSR SAN
>> and Certificate SAN does not match". But the SANs on the certificate are
>> the same (albeit in a different order):
>>
>> $ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
>> |grep DNS
>> DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
>> DNS:ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
>> DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
>> DNS:callmanager1.voip.ccgs.wa.edu.au
>> <http://callmanager1.voip.ccgs.wa.edu.au>,
>> DNS:callmanager2.voip.ccgs.wa.edu.au
>> <http://callmanager2.voip.ccgs.wa.edu.au>,
>> DNS:speedidal.voip.ccgs.wa.edu.au
>> <http://speedidal.voip.ccgs.wa.edu.au>,
>> DNS:callmanager.voip.ccgs.wa.edu.au
>> <http://callmanager.voip.ccgs.wa.edu.au>,
>> DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
>>
>> I found
>> https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
>> from 2016 which says they got it working then, and I also got it working
>> in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au
>> <http://ccgs.wa.edu.au> as the
>> common name and a SAN. But I can't get it working now. Anyone got any
>> thoughts? Running CUCM 10.5.2.15900-8
>>
>> Thanks,
>>
>> --
>> James Andrewartha
>> Network & Projects Engineer
>> Christ Church Grammar School
>> Claremont, Western Australia
>> Ph. (08) 9442 1757
>> Mob. 0424 160 877
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
More information about the cisco-voip
mailing list