<div dir="ltr">It has never been supported, so, if you run into any issues and TAC sees it, they may tell you to remove it, just FYI.<div><br></div><div>Given that, with Digicert, can you duplicate a wildcard cert, like you can a Multi-San?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 18, 2020 at 11:57 PM James Andrewartha <<a href="mailto:jandrewartha@ccgs.wa.edu.au">jandrewartha@ccgs.wa.edu.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi voipers,<br>
<br>
I'm trying to update the wildcard on our CUCM/IMP servers, and am<br>
hitting a problem. We have a digicert wildcard, which I used<br>
successfully before, but now when generating the certificate the UI<br>
complains that *.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> isn't a valid certificate name or SAN. I<br>
hacked the javascript to ignore this warning, and generated a CSR with<br>
*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> in the SAN:<br>
<br>
$ openssl req -in tomcat\(8\).csr -text|grep DNS<br>
                DNS:<a href="http://callmanager1.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager1.voip.ccgs.wa.edu.au</a>,<br>
DNS:*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>, DNS:<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://speeddial.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">speeddial.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager2.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager2.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://presence.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">presence.voip.ccgs.wa.edu.au</a><br>
<br>
But when I try to upload the certificate to CUCM, it complains "CSR SAN<br>
and Certificate SAN does not match". But the SANs on the certificate are<br>
the same (albeit in a different order):<br>
<br>
$ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text<br>
|grep DNS<br>
                DNS:*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>, DNS:<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager1.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager1.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://callmanager2.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager2.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://speedidal.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">speedidal.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://callmanager.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://presence.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">presence.voip.ccgs.wa.edu.au</a><br>
<br>
I found<br>
<a href="https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989" rel="noreferrer" target="_blank">https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989</a><br>
from 2016 which says they got it working then, and I also got it working<br>
in 2018 when the cert was last renewed, with *.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> as the<br>
common name and a SAN. But I can't get it working now. Anyone got any<br>
thoughts? Running CUCM 10.5.2.15900-8<br>
<br>
Thanks,<br>
<br>
-- <br>
James Andrewartha<br>
Network & Projects Engineer<br>
Christ Church Grammar School<br>
Claremont, Western Australia<br>
Ph. (08) 9442 1757<br>
Mob. 0424 160 877<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div>