cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
996
Views
15
Helpful
11
Replies

Issue when regenerating CSR for CWMS 2.5

HeribertoVV
Level 1
Level 1

I tried to regenerate a CSR for WebEx (another one that will be signed by a public CA). But I saw that the common name was not the FQDN of the webex site url (users site).


Do you know if there is a way to change the common name in the CSR? When I try to generate it, only I have the FQDN of the admin url. The client needs it to be the users url because they have that name in their public DNS.

 

Thanks for your replies. 

2 Accepted Solutions

Accepted Solutions

dpetrovi
Cisco Employee
Cisco Employee

Hi Heriberto,

 

In CWMS depending on the size of the system, you can have multiple internal CWMS VMs, as well as Admin URL and WebEx Site URL.

When generating CSR on CWMS, CSR will include hostnames of all the internal CWMS VMs, including Admin URL and WebEx Site URL.

You will then use this CSR with all these hostnames and request Certification Authority to issue you an SSL cert that will include all Subject Alternative Names in the SSL cert.

Can you share CSR file with us just so I can check what you have listed in it?

 

Thank you.

-Dejan

 

View solution in original post

Hi Heriberto,

 

If you are on CWMS 2.5 MR5 version level, there is one regression defect that is fixed in CWMS 2.5 MR5 HF1. If you installed the server SSL cert together with Intermediate SSL cert from CA, and still mobile devices get error message when accessing CWMS, your system is most likely affected by this defect. This bug prevents CWMS from sending that intermediate SSL cert to the client machine/mobile device resulting in mobile device not being able to validate the SSL cert. Please, reach out to TAC to obtain the HF1 for 2.5 MR5.

 

CSCuu48189 MR5 no longer sending intermediate certificate

 

 

I hope this will help.

-Dejan

View solution in original post

11 Replies 11

dpetrovi
Cisco Employee
Cisco Employee

Hi Heriberto,

 

In CWMS depending on the size of the system, you can have multiple internal CWMS VMs, as well as Admin URL and WebEx Site URL.

When generating CSR on CWMS, CSR will include hostnames of all the internal CWMS VMs, including Admin URL and WebEx Site URL.

You will then use this CSR with all these hostnames and request Certification Authority to issue you an SSL cert that will include all Subject Alternative Names in the SSL cert.

Can you share CSR file with us just so I can check what you have listed in it?

 

Thank you.

-Dejan

 

HeribertoVV
Level 1
Level 1

Thanks for your answer, Dejan.

 

You are right, in the SAN section the CSR includes all the names of the virtual machines and the URLs. By the moment, we have a record of the WebEx Site URL in the public DNS.

The only little problem we have is in the common name section. When I generated a CSR by the first time, its common name was the WebEx Site URL, not the Admin site URL. Now I can generate the CSR only with the common name as Admin Site URL. I know that there is no problem because I have the WebEx Site URL in the SAN, but one requirement of the Public CA is that we need the common name in our public DNS records, in order to verify that the domain is in our property. The client does not want to save a new DNS record with the Admin site URL pointing to the public IP of the WebEx Site URL.

 

Kind regards,

Heriberto.

Hi Heriberto,

 

That is really strange that the Admin URL is listed as the common name. WebEx Site URL should be listed there. Can you do the following:

- Generate CSR for wildcard SSL cert in CWMS and then generate the new one for SAN cert.

- Once you have the new one for SAN cert, please send it to me to validate it.

Thank you.

-Dejan

Hi Dejan,


I did what you asked for. It was curious when I generated the wildcard SSL cert in CWMS, after that I could generate a new CSR with the common name as the name of my WebEx site URL. Thank you so much.

 

I sent my CSR to the public CA (goDaddy) and then they signed the cert. I found that there is a problem when I try to upload it to the extenal SSL cert. Do you have any idea why is that happening?

 

Thanks,

Heriberto

Hi Heriberto,

 

I am not sure in what format you've received the SSL cert in, but there are few requirements to follow. Please reference this official document: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Administration_Guide/Administration_Guide/Administration_Guide_chapter_01111.html#concept_71CACA22EBB84FE58867C71B177AD752

 

And, also take a look at this document that might be of help in regards to handling SSL certs and certificate chains:

https://supportforums.cisco.com/document/12367906/cwms-ssl-certificates-intermediate-ssl-cert-chains-and-different-cwms-versions

 

Unfortunately, without actually seeing SSL certs and CSR you created, I can't provide more detailed suggestions.

 

-Dejan

 

Hi Heriberto,

Per SSL certs provided, you received the SSL cert that includes only WebEx Site URL, but no other Subject Alternative Name. CWMS won't let you upload such SSL cert as it is not including Admin URL as well as all internal VM hostnames.

-Dejan

 

This is the CSR I sent to the Public CA:

-----BEGIN CERTIFICATE REQUEST-----
MIIDPDCCAiQCAQAweDEfMB0GA1UEAwwWd2ViZXhibS5iYW54aWNvLm9yZy5teDES
MBAGA1UECwwJVEVMRUZPTklBMRgwFgYDVQQKDA9CQU5DTyBERSBNRVhJQ08xCzAJ
BgNVBAgMAkRGMQ0wCwYDVQQHDAQ1TTE4MQswCQYDVQQGEwJNWDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMYKHvyjkjTgjWHGY6V2FG/4teZz2xXPYWI/
3AMv1YyvkTonTExUMsj2K+DD//9xFnpk9LoV4SPFUMcneZLGstBbkCudtYb1gBGA
JiyKdVGebiEF9l0YmiqvJVkoBnPHckUXpHKrt8f3qbg0Mvb35NjuM6U4XcPrkzdG
mNk1rhynT60GX632hKzt2chvdltwoXUjFE33yJZYzARjztR0vcl847OP3OpWnCHz
NZcaw2XjdkUjV+PfPVWWUTWs/Z0a13/YdY2fCKo4Z8NXumYOns+aohzhCe3p/GIf
hjaj3aLkG27lfrdPLi+3pzfz2w6nOAjZZAUWni5FjAxVKQZlDuMCAwEAAaB/MH0G
CSqGSIb3DQEJDjFwMG4wHQYDVR0OBBYEFDTReUdfn9eSgKaN1ClbEBKBgVDwMAsG
A1UdDwQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIQYDVR0R
BBowGIIWd2ViZXhibS5iYW54aWNvLm9yZy5teDANBgkqhkiG9w0BAQsFAAOCAQEA
nmsLcnfbppFs1cX2EUvdWXm6Tk8PBwMt6cfttq2G22fqdBfiLx3Ut1CU7tAeG8Ri
ndvMd6TK7bGxPNz3wEIzJUM5Ipp1bbOSHJNtmFzFzkyK4Qs/3jgT4CKei4SYCWh1
vQjn9YISQKra26uslhN3C5BjMee4d1lNpC67hzxww6q5ZnMCTNDgXBf9fLc/uV6v
X3IrZ+jsFHH3gk2giXckUcduRM1qFIjXO98jMcbzBlScs4f46RsPNkf4orZdicl0
Xlfvu9SvUHtkH5Y03+G/ANVsada0lCVMlgO27TXrK48C9G47gDtGDZIL2c3rLsCO
0b7SIlANzHZUvZr1bHvthw==
-----END CERTIFICATE REQUEST-----
 
I Generated it in External SSL Certificate section, the only option I had was webexbm.banxico.org.mx
 

 

Hi Heriberto,

 

I now understand that you have 2.5 MR5 version installed which introduces the option for Internal and External SSL certs if you have IRP server involved.

 

SSL cert that you've sent me privately and this CSR match perfectly. So you should be able to install this SSL cert to CWMS. If you are having issues, we would need to troubleshoot it, so please open a ticket with TAC to look into this.

-Dejan

That's right, I made a CWMS update last week. I have a ticket opened because it was impossible to upload the external cert. Also, with the update the TAC engineer could not open a SSL session for admin VM, but it was possible with Media VM.

If we go back to the other version, is in the SSL Cert section where we upload only the external cert (our public CA is goDaddy)? In order to upload the cert, this is concatenated only with the intermediate CA and not with de Root CA, isn't it?

 

Thanks for all your answers.

 

Best regars,

Heriberto.

One last thing:

 

When user in a cell-phone try to get the WebEx Site URL, it still shows a warning certificates (not secure). When user in a computer try to sign in, the recieve no warnings. I uploaded the cert this way:

 

BEGIN CERT...

PRIVATE KEY

END CER...

BEGIN CERT...

INTERMEDIATE

END CER...

BEGIN CERT...

CWMS CERT

END CER...

 

Do you have any idea why user in cellphones are still receiving the warning? I tried another test putting also the root_CA, but we still receive the same warning.

Hi Heriberto,

 

If you are on CWMS 2.5 MR5 version level, there is one regression defect that is fixed in CWMS 2.5 MR5 HF1. If you installed the server SSL cert together with Intermediate SSL cert from CA, and still mobile devices get error message when accessing CWMS, your system is most likely affected by this defect. This bug prevents CWMS from sending that intermediate SSL cert to the client machine/mobile device resulting in mobile device not being able to validate the SSL cert. Please, reach out to TAC to obtain the HF1 for 2.5 MR5.

 

CSCuu48189 MR5 no longer sending intermediate certificate

 

 

I hope this will help.

-Dejan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: