09-20-2016 10:31 AM - edited 03-17-2019 06:22 PM
Hi,
I have installed Digicert Certificates (Public CA) on my expressway E (version X8.7.1) (CUCM ver: 9.1.2.14900-14) (IM&P - ver:9.1.1.81900-10)
The certificates are singed by Intermittent CA.
Windows and other IOS both have the Intermittent CA certificate and root certificate in the Trust container.
I have uploaded both the Root CA/Intermittent CA certificates on the Expressway E
The certificates show the Path to the Root CA. Windows show the certificate as OK
The CN name is the FQDN of the expressway E
The SAN name is the FQDN of the expressway E
FIPS is disabled on the windows server
I am getting Certificate error from Windows Jabber 11.6 , Iphone and Android.
I donot get the error if the Windows Jabber client is 10.5
Note - The Certificate SAN only contain the Expressway E FQDN. There is no Clustering.
Do I need to include just the Domain Name in the SAN. If so How does it work with older Jabber version.
Thanks
Sandesh
09-20-2016 11:36 PM
I do not see any major difference in certificate validation between the version. Could you tell me the complete error message that you see?
Is this behaviour similar to the below post?
https://supportforums.cisco.com/discussion/13124266/invalid-certificate-was-declined-jabber-android
Could you generate a Problem report in detailed logging mode, and attach here?
09-21-2016 10:57 AM
Solved
Apparently for RMA, Jabber 11.5 seeks three entires. Server FQDN, Domain & Collab-edge.<Domain>
E.g. domainname = domain.com & Expressway E name = expresE.domain.com
After i upload multi SAN certificate with SAN as "dns=domain.com" & "dns=collab-edge.domain.com" the problem was solved.
Note- just adding domain name to the SAN is also enough.
Logs showed following-
cert::CertVerifier::checkIdentifier] - Verifying identity 'expresE.domain.com'
2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(352)] [csf.cert.utils] [csf::cert::altnameparserimpl::verify] - match for 'expresE.domain.com' found in dnsnames
2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(324)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded.
Matched identifier : 'expresE.domain.com'
2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(461)] [csf.cert.] [csf::cert::BaseCertVerifier::applyIgnoreInvalidCertConditionPolicy] - Certificate verification was successful, not applying policy.
[csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'domain'
2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'Domainname'
2016-09-21 11:00:44,777 DEBUG [0x000009f8] [ls\src\cert\common\CertVerifier.cpp(154)] [csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'collab-edge.domain.comname'
2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'collab-edge.domain.com'
2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(319)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity: 'domain' 'collab-edge.domain.com' failed.
09-21-2016 11:10 AM
Awesome :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide