06-09-2015 07:48 AM - edited 03-17-2019 05:14 PM
I tried to regenerate a CSR for WebEx (another one that will be signed by a public CA). But I saw that the common name was not the FQDN of the webex site url (users site).
Do you know if there is a way to change the common name in the CSR? When I try to generate it, only I have the FQDN of the admin url. The client needs it to be the users url because they have that name in their public DNS.
Thanks for your replies.
Solved! Go to Solution.
06-09-2015 08:47 AM
Hi Heriberto,
In CWMS depending on the size of the system, you can have multiple internal CWMS VMs, as well as Admin URL and WebEx Site URL.
When generating CSR on CWMS, CSR will include hostnames of all the internal CWMS VMs, including Admin URL and WebEx Site URL.
You will then use this CSR with all these hostnames and request Certification Authority to issue you an SSL cert that will include all Subject Alternative Names in the SSL cert.
Can you share CSR file with us just so I can check what you have listed in it?
Thank you.
-Dejan
06-12-2015 04:34 PM
Hi Heriberto,
If you are on CWMS 2.5 MR5 version level, there is one regression defect that is fixed in CWMS 2.5 MR5 HF1. If you installed the server SSL cert together with Intermediate SSL cert from CA, and still mobile devices get error message when accessing CWMS, your system is most likely affected by this defect. This bug prevents CWMS from sending that intermediate SSL cert to the client machine/mobile device resulting in mobile device not being able to validate the SSL cert. Please, reach out to TAC to obtain the HF1 for 2.5 MR5.
CSCuu48189 MR5 no longer sending intermediate certificate
I hope this will help.
-Dejan
06-09-2015 08:47 AM
Hi Heriberto,
In CWMS depending on the size of the system, you can have multiple internal CWMS VMs, as well as Admin URL and WebEx Site URL.
When generating CSR on CWMS, CSR will include hostnames of all the internal CWMS VMs, including Admin URL and WebEx Site URL.
You will then use this CSR with all these hostnames and request Certification Authority to issue you an SSL cert that will include all Subject Alternative Names in the SSL cert.
Can you share CSR file with us just so I can check what you have listed in it?
Thank you.
-Dejan
06-09-2015 09:01 AM
Thanks for your answer, Dejan.
You are right, in the SAN section the CSR includes all the names of the virtual machines and the URLs. By the moment, we have a record of the WebEx Site URL in the public DNS.
The only little problem we have is in the common name section. When I generated a CSR by the first time, its common name was the WebEx Site URL, not the Admin site URL. Now I can generate the CSR only with the common name as Admin Site URL. I know that there is no problem because I have the WebEx Site URL in the SAN, but one requirement of the Public CA is that we need the common name in our public DNS records, in order to verify that the domain is in our property. The client does not want to save a new DNS record with the Admin site URL pointing to the public IP of the WebEx Site URL.
Kind regards,
Heriberto.
06-09-2015 09:09 AM
Hi Heriberto,
That is really strange that the Admin URL is listed as the common name. WebEx Site URL should be listed there. Can you do the following:
- Generate CSR for wildcard SSL cert in CWMS and then generate the new one for SAN cert.
- Once you have the new one for SAN cert, please send it to me to validate it.
Thank you.
-Dejan
06-09-2015 01:57 PM
Hi Dejan,
I did what you asked for. It was curious when I generated the wildcard SSL cert in CWMS, after that I could generate a new CSR with the common name as the name of my WebEx site URL. Thank you so much.
I sent my CSR to the public CA (goDaddy) and then they signed the cert. I found that there is a problem when I try to upload it to the extenal SSL cert. Do you have any idea why is that happening?
Thanks,
Heriberto
06-09-2015 02:32 PM
Hi Heriberto,
I am not sure in what format you've received the SSL cert in, but there are few requirements to follow. Please reference this official document: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Administration_Guide/Administration_Guide/Administration_Guide_chapter_01111.html#concept_71CACA22EBB84FE58867C71B177AD752
And, also take a look at this document that might be of help in regards to handling SSL certs and certificate chains:
Unfortunately, without actually seeing SSL certs and CSR you created, I can't provide more detailed suggestions.
-Dejan
06-09-2015 02:36 PM
Hi Heriberto,
Per SSL certs provided, you received the SSL cert that includes only WebEx Site URL, but no other Subject Alternative Name. CWMS won't let you upload such SSL cert as it is not including Admin URL as well as all internal VM hostnames.
-Dejan
06-09-2015 03:28 PM
This is the CSR I sent to the Public CA:
06-10-2015 07:40 AM
Hi Heriberto,
I now understand that you have 2.5 MR5 version installed which introduces the option for Internal and External SSL certs if you have IRP server involved.
SSL cert that you've sent me privately and this CSR match perfectly. So you should be able to install this SSL cert to CWMS. If you are having issues, we would need to troubleshoot it, so please open a ticket with TAC to look into this.
-Dejan
06-10-2015 02:17 PM
That's right, I made a CWMS update last week. I have a ticket opened because it was impossible to upload the external cert. Also, with the update the TAC engineer could not open a SSL session for admin VM, but it was possible with Media VM.
If we go back to the other version, is in the SSL Cert section where we upload only the external cert (our public CA is goDaddy)? In order to upload the cert, this is concatenated only with the intermediate CA and not with de Root CA, isn't it?
Thanks for all your answers.
Best regars,
Heriberto.
06-12-2015 02:19 PM
One last thing:
When user in a cell-phone try to get the WebEx Site URL, it still shows a warning certificates (not secure). When user in a computer try to sign in, the recieve no warnings. I uploaded the cert this way:
BEGIN CERT...
PRIVATE KEY
END CER...
BEGIN CERT...
INTERMEDIATE
END CER...
BEGIN CERT...
CWMS CERT
END CER...
Do you have any idea why user in cellphones are still receiving the warning? I tried another test putting also the root_CA, but we still receive the same warning.
06-12-2015 04:34 PM
Hi Heriberto,
If you are on CWMS 2.5 MR5 version level, there is one regression defect that is fixed in CWMS 2.5 MR5 HF1. If you installed the server SSL cert together with Intermediate SSL cert from CA, and still mobile devices get error message when accessing CWMS, your system is most likely affected by this defect. This bug prevents CWMS from sending that intermediate SSL cert to the client machine/mobile device resulting in mobile device not being able to validate the SSL cert. Please, reach out to TAC to obtain the HF1 for 2.5 MR5.
CSCuu48189 MR5 no longer sending intermediate certificate
I hope this will help.
-Dejan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: