Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2594
Views
25
Helpful
9
Replies

CWMS 2.0 SSL Certificate Issue on IOS device

Go to solution
wisit_jan
Level 1
Level 1

‎07-09-2014 12:11 AM - edited ‎03-17-2019 04:18 PM

I have uploaded SSL Certificate to CWMS Server all device is worked fine but only IOS device is not work.

Error Code:100202

I think problem is certificate issue. I used SAN SSL *.domain.com

I obtain SSL Certificate and OrganizationSSL Root Certificate from GlobalSign SSL Certificate

I found in Trobleshooting Guide, they say "upload it to Cisco WebEx Meetings Server together with the end entity certificate".

How to "upload it to Cisco WebEx Meetings Server together with the end entity certificate"?

I follow step in https://supportforums.cisco.com/discussion/11794371/cwms-ssl-certificate-issue but not work

I  create .pem file and order content in same file

-----BEGIN PRIVATE KEY-----

… Private key …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… End entity certificate …

-----END CERTIFICATE-----

or

---

Private Key

---

---

CWMS Entity certificate

----

----

Intermediate Certificate #1

----

when upload file .pem occur error "The certificates do not form a valid certificate chain."

 

Please provide how to upload it to Cisco WebEx Meetings Server together with the end entity certificate?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎07-09-2014 05:26 AM

Hi, 

Per the information provided, you have a Wildcard SSL certificate (*.domain.com) provided by GlobalSign, but when you upload it to CWMS with a file that contains the following:

Private Key

Wildcard cert

Root cert

you get an error "The certificates do not form a valid certificate chain." This is expected behavior since you shouldn't insert the Root cert, but instead you need to insert the Intermediate SSL cert from GlobalSign. Reach out to GlobalSign and obtain the appropriate Intermediate Cert: https://www.globalsign.com/repository/ca-certificates/ that match your Wildcard cert. Once you have that cert, then create a bundle:

Private Key

Wildcard cert

Intermediate cert 

and upload it to the CWMS server. This should resolve the issue you are seeing on the iOS devices.

 

I hope this will be of help.

 

-Dejan

View solution in original post

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to wisit_jan

‎07-09-2014 07:22 AM

If you generated a CSR on CWMS server, then private key is stored on CWMS and you don't need to upload it. In that case, you would just need a valid SSL cert for CWMS, and a corresponding Intermediate certs.

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

If you still get the same error, you are definitely not using the correct intermediate cert. Keep in mind that some CAs use primary and secondary intermediate certs, so you will have to include both. In that case, the order would be:

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Secondary Intermediate certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Primary Intermediate certificate …

-----END CERTIFICATE-----

-Dejan

View solution in original post

9 Replies 9

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎07-09-2014 05:26 AM

Hi, 

Per the information provided, you have a Wildcard SSL certificate (*.domain.com) provided by GlobalSign, but when you upload it to CWMS with a file that contains the following:

Private Key

Wildcard cert

Root cert

you get an error "The certificates do not form a valid certificate chain." This is expected behavior since you shouldn't insert the Root cert, but instead you need to insert the Intermediate SSL cert from GlobalSign. Reach out to GlobalSign and obtain the appropriate Intermediate Cert: https://www.globalsign.com/repository/ca-certificates/ that match your Wildcard cert. Once you have that cert, then create a bundle:

Private Key

Wildcard cert

Intermediate cert 

and upload it to the CWMS server. This should resolve the issue you are seeing on the iOS devices.

 

I hope this will be of help.

 

-Dejan

Go to solution
wisit_jan
Level 1
Level 1
In response to dpetrovi

‎07-09-2014 06:11 AM

How to bundle these three file? put Private Key, Wildcard cert, Intermediate cert in to 1 file right?

 I create .pem file and order content in same file

---

Private Key

---

---

CWMS Entity certificate

----

----

Root Cert

----

when install certificate occur error message "The certificates do not form a valid certificate chain."

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to wisit_jan

‎07-09-2014 06:23 AM

Hi,

Don't use ROOT CERT. You need to use INTERMEDIATE CERT instead of ROOT. To bundle them, you create a .pem file with:

-----BEGIN PRIVATE KEY-----

… Private key …

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

… End entity certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

 

I hope this explains it.

 

-Dejan

Go to solution
wisit_jan
Level 1
Level 1
In response to dpetrovi

‎07-09-2014 07:16 AM

Hi Dejan,

The private key is obtain when Gen CSR right?

I uploaded file in order but still show same error message "The certificates do not form a valid certificate chain."

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to wisit_jan

‎07-09-2014 07:22 AM

If you generated a CSR on CWMS server, then private key is stored on CWMS and you don't need to upload it. In that case, you would just need a valid SSL cert for CWMS, and a corresponding Intermediate certs.

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Intermediate certificate …

-----END CERTIFICATE-----

If you still get the same error, you are definitely not using the correct intermediate cert. Keep in mind that some CAs use primary and secondary intermediate certs, so you will have to include both. In that case, the order would be:

-----BEGIN CERTIFICATE-----

… CWMS certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Secondary Intermediate certificate …

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

… Primary Intermediate certificate …

-----END CERTIFICATE-----

-Dejan

Go to solution
wisit_jan
Level 1
Level 1
In response to dpetrovi

‎07-09-2014 07:59 AM

Hi Dejan,

Now it work

GlobalSign sent me a wrong Intermediate Certificate. I download new Intermediate Certificate from GlobalSign (https://support.globalsign.com/customer/portal/articles/1219303-organizationssl-intermediate-certificates)

And create pem file in order

-----BEGIN CERTIFICATE-----

... End entity certificate ...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... Intermediate certificate ...

-----END CERTIFICATE-----

Thank you very much for your support. I get more idea from you

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to wisit_jan

‎07-09-2014 08:06 AM

Hi,

 

I am happy to hear that you were able to upload the appropriate chain. Is the issue with the iOS device now resolved (it should be)?

 

Thank you.

-Dejan

 

Go to solution
wisit_jan
Level 1
Level 1
In response to dpetrovi

‎07-09-2014 09:41 AM

Hi Dejan,

Yes, now resolved with iOS devices

Go to solution
David Hasfurter
Level 1
Level 1
In response to wisit_jan

‎09-28-2015 01:46 PM

Just wanted to give feedback to this post as I came across this to fix my issue. I am running 2.5 of CWMS and they changed the format. It now looks like:

 

----Private Key---

 

Private key info

 

---end private key---

---Intermediate key----

Intermediate infor

---end intermediate key---

---Entity certificate---

certificate info

----end entity certificate----

 

I also used this site to help extract out the information I needed from the encrypted files I was given by the customer:

 

https://ril3y.wordpress.com/2014/01/22/ssl-with-intermediate-certificates-for-on-premise-webex/

 

-The Hoff

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents