cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1369
Views
0
Helpful
3
Replies
Highlighted
Beginner

Jabber 11.6 shows Invalid Certificate, 10.5 works fine

Hi,

I have installed Digicert Certificates (Public CA) on my expressway E (version X8.7.1) (CUCM ver: 9.1.2.14900-14) (IM&P - ver:9.1.1.81900-10)

The certificates are singed by Intermittent CA.

Windows and other IOS both have the Intermittent CA certificate and root certificate in the Trust container.

I have uploaded both the Root CA/Intermittent CA certificates on the Expressway E

The certificates show the Path to the Root CA. Windows show the certificate as OK

The CN name is the FQDN of the expressway E

The SAN name is the FQDN of the expressway E

FIPS is disabled on the windows server

 

I am getting Certificate error from Windows Jabber 11.6 , Iphone and Android.

I donot get the error if the Windows Jabber client is 10.5

Note - The Certificate SAN only contain the Expressway E FQDN. There is no Clustering.

Do I need to include just the Domain Name in the SAN. If so How does it work with older Jabber version.

Thanks

Sandesh

3 REPLIES 3
Highlighted
Beginner

I do not see any major difference in certificate validation between the version. Could you tell me the complete error message that you see?

Is this behaviour similar to the below post?

https://supportforums.cisco.com/discussion/13124266/invalid-certificate-was-declined-jabber-android

Could you generate a Problem report in detailed logging mode, and attach here?

Highlighted

Solved

Apparently for RMA, Jabber 11.5 seeks three entires. Server FQDN, Domain & Collab-edge.<Domain>

E.g. domainname = domain.com & Expressway E name = expresE.domain.com

After i upload multi SAN certificate with SAN as "dns=domain.com" & "dns=collab-edge.domain.com" the problem was solved.

Note- just adding domain name to the SAN is also enough.

 

Logs showed following-

cert::CertVerifier::checkIdentifier] - Verifying identity 'expresE.domain.com'

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(352)] [csf.cert.utils] [csf::cert::altnameparserimpl::verify] - match for 'expresE.domain.com' found in dnsnames

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(324)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded.

Matched identifier : 'expresE.domain.com'

2016-09-21 10:59:54,382 DEBUG [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(461)] [csf.cert.] [csf::cert::BaseCertVerifier::applyIgnoreInvalidCertConditionPolicy] - Certificate verification was successful, not applying policy.

[csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'domain'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'Domainname'

2016-09-21 11:00:44,777 DEBUG [0x000009f8] [ls\src\cert\common\CertVerifier.cpp(154)] [csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'collab-edge.domain.comname'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\utils\AltNameParserImpl.cpp(394)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - No Match Found for 'collab-edge.domain.com'

2016-09-21 11:00:44,777 ERROR [0x000009f8] [rc\cert\common\BaseCertVerifier.cpp(319)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity: 'domain' 'collab-edge.domain.com' failed.

 

Highlighted

Awesome :)

Content for Community-Ad