[cisco-voip] Jabber Users Prompted To Accept Webex Cert

[Gary Parker]

Thanks Jason, I was aware of FN 72120 and figured that this may be associated (but not the cause); I guess Cisco have replaced a load of certs.

However:

- FN 72120 only relates to Android and iOS clients using push notifications, we’re only seeing this behaviour on Windows clients

- these clients are connecting to on-prem services, either directly or via expressway/MRA with EXCLUDED_SERVICES=WEBEX declared at install. The clients should not be attempting to contact Webex servers

- we’ve checked a number of clients and all have the correct IdenTrust root CA present (checked serial numbers)

- viewing the offered certificate within Jabber shows root, intermediate and server all okay

- browsing to https://idbroker.webex.com and examining the certificate shows the same, it’s only the Jabber application that rejects the certificate

Gary 

> On 11 Nov 2021, at 15:12, Jason Aarons (Americas) <jason.aarons at global.ntt> wrote:
> 
> Webex clients update switched from the Quovadis Root CA which was older and being retired, to the IdenTrust Root CA which it dates back to 2014. The IdenTrust Root CA certificate is contained within the default trust store of all major operating systems by default.
>  
> Not clear why IdenTrust is missing on your computers.
>  
> Guessing maybe you disabled automatic root updates at some point or don’t have Windows updates running ? https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy
>  
> Cisco Field Notice we didn’t notice
> https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html