Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
5
Helpful
4
Replies

CWMS 2.5 MR5 . result of Generate CSR, seems like different other version of CWMS

Go to solution
neobrutal
Level 1
Level 1

‎07-05-2015 11:50 PM - edited ‎03-17-2019 05:19 PM

Dear all.

 

Hi I'm Yoong Huh.

 

I just tested i a CWMS MR5 system in my lab. And I find someting different result in Genereta CSR in security tap of CWMS administration page.

 

Here is snapshot of CWMS 2.5 with no update.

 

Meeting URL : meetingmr5.comtectest.com

Administration URL : supportmr5.comtectest.com

AdminVM: adminvmmr5.comtectest.com

 

 

 

Meeting URL is located in Common name.

And i think it is  good.

 

 

 

 

Then i  updated to 2.5 MR5

 

And Administration URL is located in Common name of Generate CSR page.

 

 

I think that CWMS working wrong way.

 

 

Regards.

 

Yoong Huh.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to neobrutal

‎07-07-2015 04:54 PM

Hi Yoong Huh,

 

Yes, internal SSL cert has Administration URL for common name plus all other internal VM hostnames as part of the Subject Alternative Names, while external SSl cert has only WebEx Site URL as common name.

 

If you had SSL cert installed on 2.5 MR4 and earlier versions, after updating to 2.5 MR5 you won't need to do anything until those original SSL certs expire. Once these SSL certs expire, then you will need to obtain External SSL cert from Public Certification Authority for WebEx Site URL, and you can use self-signed SSL certs for internal VMs and Administration URL. You will have to distribute those internal self-signed SSL certs to your internal end users so these self-signed SSL certs are trusted by their browsers.

 

I hope this helps.

 

-Dejan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎07-06-2015 05:13 AM

Hi Yoong Huh,

CWSM 2.5 MR5 introduces a new feature which splits internal and external SSL certs. In CWMS 2.5 MR5 now you have the option to use self-signed SSL certs for your internal CWMS VMs (and propagate those free self-signed SSL certs to your internal end user community for secure access to CWMS) while using a publicly signed SSL cert for your WebEx Site URL. That way, you can have your internal VMs' hostnames using .local or .internal domains, while only your WebEx Site URL using publicly resolvable hostnames. That way, you can obtain the publicly signed SSL cert just for your WebEx Site URL (which is much cheaper than getting a SAN SSL cert for all your internal VMs as well).

 

I hope this clarifies it a little bit.

-Dejan

P.S. Please take a look at Split Certificate feature description in Release Notes, as well as the documentation Configuration Guide for more details.

Go to solution
neobrutal
Level 1
Level 1
In response to dpetrovi

‎07-07-2015 04:49 PM

Hi Dejan.

 

Thanks for your reply.

 

Is that mean the internal SSL cert has Administration URL for common name, and External cert has Site URL for common name ?

 

New version features, am i right?

 

And it means External cert is optional, and i think internal Cert is same to previous version cert(~ 2.5MR4).

 

If it's right, i think, when customer rehost the CWMS and upgarde to MR2.5, customer have to reissue the  Cert for changed common name (Site URL -> Administration URL)

 

Best Regards.

 

Yoong Huh.

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to neobrutal

‎07-07-2015 04:54 PM

Hi Yoong Huh,

 

Yes, internal SSL cert has Administration URL for common name plus all other internal VM hostnames as part of the Subject Alternative Names, while external SSl cert has only WebEx Site URL as common name.

 

If you had SSL cert installed on 2.5 MR4 and earlier versions, after updating to 2.5 MR5 you won't need to do anything until those original SSL certs expire. Once these SSL certs expire, then you will need to obtain External SSL cert from Public Certification Authority for WebEx Site URL, and you can use self-signed SSL certs for internal VMs and Administration URL. You will have to distribute those internal self-signed SSL certs to your internal end users so these self-signed SSL certs are trusted by their browsers.

 

I hope this helps.

 

-Dejan

0 Helpful

Go to solution
neobrutal
Level 1
Level 1
In response to dpetrovi

‎07-07-2015 05:19 PM

Hi Dejan.

 

Thanks for reply.

 

I understand about MR5 split cert.

 

Thanks

 

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents