<div dir="ltr"><div dir="ltr">I've got some thoughts, though, I've never done this before, so it's just guessing.<div><br></div><div>You don't need *.<a href="http://domain.com">domain.com</a> in your SAN.</div><div><br></div><div>Just generate your CSR on CUCM as if you were not using wildcard certificates.  Then when you dupe your wildcard on digitcert's site, manually add the exact same SANs in your CSR.</div><div><br></div><div>The resulting identity certificate will not have a CN which matches your CSR, but the SANs will match, and according to the thread you linked:</div><div><br></div><div><i>"The CN doesn't match but CUCM doesn't seem to care as long as the SAN fields line up."</i></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 18, 2020 at 11:58 PM James Andrewartha <<a href="mailto:jandrewartha@ccgs.wa.edu.au">jandrewartha@ccgs.wa.edu.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi voipers,<br>
<br>
I'm trying to update the wildcard on our CUCM/IMP servers, and am<br>
hitting a problem. We have a digicert wildcard, which I used<br>
successfully before, but now when generating the certificate the UI<br>
complains that *.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> isn't a valid certificate name or SAN. I<br>
hacked the javascript to ignore this warning, and generated a CSR with<br>
*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> in the SAN:<br>
<br>
$ openssl req -in tomcat\(8\).csr -text|grep DNS<br>
                DNS:<a href="http://callmanager1.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager1.voip.ccgs.wa.edu.au</a>,<br>
DNS:*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>, DNS:<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://speeddial.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">speeddial.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager2.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager2.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://presence.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">presence.voip.ccgs.wa.edu.au</a><br>
<br>
But when I try to upload the certificate to CUCM, it complains "CSR SAN<br>
and Certificate SAN does not match". But the SANs on the certificate are<br>
the same (albeit in a different order):<br>
<br>
$ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text<br>
|grep DNS<br>
                DNS:*.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>, DNS:<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">voip.ccgs.wa.edu.au</a>, DNS:<a href="http://callmanager1.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager1.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://callmanager2.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager2.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://speedidal.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">speedidal.voip.ccgs.wa.edu.au</a>,<br>
DNS:<a href="http://callmanager.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">callmanager.voip.ccgs.wa.edu.au</a>, DNS:<a href="http://presence.voip.ccgs.wa.edu.au" rel="noreferrer" target="_blank">presence.voip.ccgs.wa.edu.au</a><br>
<br>
I found<br>
<a href="https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989" rel="noreferrer" target="_blank">https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989</a><br>
from 2016 which says they got it working then, and I also got it working<br>
in 2018 when the cert was last renewed, with *.<a href="http://ccgs.wa.edu.au" rel="noreferrer" target="_blank">ccgs.wa.edu.au</a> as the<br>
common name and a SAN. But I can't get it working now. Anyone got any<br>
thoughts? Running CUCM 10.5.2.15900-8<br>
<br>
Thanks,<br>
<br>
-- <br>
James Andrewartha<br>
Network & Projects Engineer<br>
Christ Church Grammar School<br>
Claremont, Western Australia<br>
Ph. (08) 9442 1757<br>
Mob. 0424 160 877<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</blockquote></div>