cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1312
Views
15
Helpful
2
Replies

CSCvn20824 - Cisco Meeting Manager does not have an option to generate a new CSR for expired certificates

Ahochau
Level 1
Level 1

The installation and administration guides give no more detail than "upload the certificate".  What are the requirements for the certificate?  Is there a configuration guide for using the MS AD Certificate Services?  

2 Replies 2

Ahochau
Level 1
Level 1

Here is what I did, not sure if it was correct, but it got me a valid certificate installed on my CMM and made the error go away.  Total PITA but it is a start.  I am not a security guy and although I understand the certificate concepts I do not work with CAs more than a couple times a year. I also did not have access to the customers CA, so had to use the web interface. I have no idea what the Windows version is on the back end.

1) Logged into the CA page (<FQDN of CA>/certsrv)

2) Chose Request a Certificate.

3) Chose create and submit a request to this CA

4) Chose the existing Web Server template (not sure if the correct settings are on this template)

  - Name: set to the FQDN of the CMM

  - Filled out the rest of the company information

  - Chose MS Enhanced RSA and AES Crypto Provider

  - Create New Key Set

  - Key Size 4096

  - Format PCKS10

  - Hash sha256

  - Assigned a friendly name

5) Cert automatically installed

6) opened up the key store on the local machine and exported the certificate using the MMC certmgr.  Found the cert in Current User/Certificates/  I chose not to include the private key and exported in 2 steps, can be done at once, but then you have to decrypt the cert as well as the key, pick your poison.  Chose Base-64 as the format

7) Went back and exported a second time including the private key.

8) uncheck the box for enable certificate privacy and checked the box to include all certs in the chain

9) used the super secret password cisco123 with AES256-SHA256

10) copied the pfx file over to my linux box and used the commands found here  https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/ to extract and decrypt the private key.  CMM will not accept the encrypted key.

11) pointed CMM to the private key on and got a green bar saying the key matches the certificate

12) saved the settings and restarted the box.  When it came back up valid certificate is attached to the web service.

 

not sure if the root is added to the trust store, or if I will have fits down the road we'll see.  

 

Bro, You are the One!!!! Thanks!!!!!