cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
253
Views
5
Helpful
4
Replies
Highlighted
Beginner

CWMS 2.5 MR5 . result of Generate CSR, seems like different other version of CWMS

Dear all.

 

Hi I'm Yoong Huh.

 

I just tested i a CWMS MR5 system in my lab. And I find someting different result in Genereta CSR in security tap of CWMS administration page.

 

Here is snapshot of CWMS 2.5 with no update.

 

Meeting URL : meetingmr5.comtectest.com

Administration URL : supportmr5.comtectest.com

AdminVM: adminvmmr5.comtectest.com

 

 

 

Meeting URL is located in Common name.

And i think it is  good.

 

 

 

 

Then i  updated to 2.5 MR5

 

And Administration URL is located in Common name of Generate CSR page.

 

 

I think that CWMS working wrong way.

 

 

Regards.

 

Yoong Huh.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Yoong Huh, Yes, internal

Hi Yoong Huh,

 

Yes, internal SSL cert has Administration URL for common name plus all other internal VM hostnames as part of the Subject Alternative Names, while external SSl cert has only WebEx Site URL as common name.

 

If you had SSL cert installed on 2.5 MR4 and earlier versions, after updating to 2.5 MR5 you won't need to do anything until those original SSL certs expire. Once these SSL certs expire, then you will need to obtain External SSL cert from Public Certification Authority for WebEx Site URL, and you can use self-signed SSL certs for internal VMs and Administration URL. You will have to distribute those internal self-signed SSL certs to your internal end users so these self-signed SSL certs are trusted by their browsers.

 

I hope this helps.

 

-Dejan

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi Yoong Huh,CWSM 2.5 MR5

Hi Yoong Huh,

CWSM 2.5 MR5 introduces a new feature which splits internal and external SSL certs. In CWMS 2.5 MR5 now you have the option to use self-signed SSL certs for your internal CWMS VMs (and propagate those free self-signed SSL certs to your internal end user community for secure access to CWMS) while using a publicly signed SSL cert for your WebEx Site URL. That way, you can have your internal VMs' hostnames using .local or .internal domains, while only your WebEx Site URL using publicly resolvable hostnames. That way, you can obtain the publicly signed SSL cert just for your WebEx Site URL (which is much cheaper than getting a SAN SSL cert for all your internal VMs as well).

 

I hope this clarifies it a little bit.

-Dejan

P.S. Please take a look at Split Certificate feature description in Release Notes, as well as the documentation Configuration Guide for more details.

Beginner

Hi Dejan. Thanks for your

Hi Dejan.

 

Thanks for your reply.

 

Is that mean the internal SSL cert has Administration URL for common name, and External cert has Site URL for common name ?

 

New version features, am i right?

 

And it means External cert is optional, and i think internal Cert is same to previous version cert(~ 2.5MR4).

 

If it's right, i think, when customer rehost the CWMS and upgarde to MR2.5, customer have to reissue the  Cert for changed common name (Site URL -> Administration URL)

 

Best Regards.

 

Yoong Huh.

Highlighted
Cisco Employee

Hi Yoong Huh, Yes, internal

Hi Yoong Huh,

 

Yes, internal SSL cert has Administration URL for common name plus all other internal VM hostnames as part of the Subject Alternative Names, while external SSl cert has only WebEx Site URL as common name.

 

If you had SSL cert installed on 2.5 MR4 and earlier versions, after updating to 2.5 MR5 you won't need to do anything until those original SSL certs expire. Once these SSL certs expire, then you will need to obtain External SSL cert from Public Certification Authority for WebEx Site URL, and you can use self-signed SSL certs for internal VMs and Administration URL. You will have to distribute those internal self-signed SSL certs to your internal end users so these self-signed SSL certs are trusted by their browsers.

 

I hope this helps.

 

-Dejan

View solution in original post

Highlighted
Beginner

Hi Dejan. Thanks for reply. I

Hi Dejan.

 

Thanks for reply.

 

I understand about MR5 split cert.

 

Thanks

 

Regards.

CreatePlease to create content