[cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

Hunter Fuller hf0002 at uah.edu
Wed May 24 12:14:27 EDT 2023


2028 is WAY too far in the future. No modern browser trusts a
publicly-issued certificate that is valid that far in the future. How
did you even get that certificate.

If you did a self signed, then that would explain why no browser
trusts it. Self signed is the "sovereign citizen" of certificates. You
need to get a certificate authority to sign your CSR.

https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch
<MLoraditch at heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch at heliontechnologies.com
> www.heliontechnologies.com

>
> From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip at puck.nether.net>
> Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight.   I regenerated the certificates and both are now year 2028 expiry date.   But we still get the same error if someone is trying to access their inbox  (https://server/inbox/)  (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs.   The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust .  I have Tomcat, Tomcat ecdsa or ipsec.   The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too.   Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip


More information about the cisco-voip mailing list