i have just upgraded some of my cisco jabber for windows clients to the latest release 9.2.6 (upgraded from 9.2.3)
i noticed that the first time the client startsup i get certificate warnings for our CUCM-PUB, SUB, CUC device and CUPS server. (all version 8.6)
all use the standard cisco SSL certificate (have not deployed 3rd party SSL certificates)
is there a way to get all these certificates trusted by the client machines, it has never prompted me before and works fine with 9.2.3
on the mac clients i have added them to the keychain when i first deployed the clients (manual job) but i like to see if i can automate this for my 30 windows clients (the users will not click on this themselves and will use it as an excuse not to load jabber (they don't like the call window pop ups but that is something for jabber 9.6 client
any idea how to get these certificates trusted by the windows computers (we have an 2008 r2 active directory so could do something with an group policy and or use our own internal windows certificate authority)
is there is a clever way to get these standard cisco certificates trusted on all my computers rather than having to start changing the SSL certificates to trusted 3rd party certifficates or using Windows Certificate Authority)
i tried importing the certificates but it needs to root certifcate trusted, i tried to import those on a client computer but hte jabber client still did not accept the certificate automatically.
You can do both.
You can deploy certs with GPO and store them into Enterprise container. Also you can issue new certs to CUCM, CUP, UC... by your CA.
In this second case, when you are filling connection settings, important thing is that you specify exact value what says in a cert.
For example, if CA issues a cert cupname.mydomain.com, you have to write exact the same into server field. Not just cupname.
so i have my own windows enterprise CA on windows 2008 r2 server and i thought i would submit the CSR request to that but i ran into the following issue (preferably over using GPO as we also have mac clients that have the same SSL trust issue and i cannot resolve that issue via GPO for the mac clients)
btw there is no option to specify any of those values you mention when creating a CSR on unity connection server, it just takes the information from the unity server configuration but it seems correct so it is not an issue
here is my post in the UC section
if you have any ideas how to get around this that would be great
thanks for all the response
i had to create the certificate using the cli on my windows CA
certreq -submit -attrib "CertificateTemplate:WebServer"
but it worked
on the cups server it also seems i need to create an XMPP SSL certificate
would i use the same WebServer template as i did for tomcat or should i use a different template? does it matter
cuc, cups tomcat are now all running using the new windows CA certificate
just need to do the XMPP and then cucm-sub and pub
I must say that I don't follow. But I'll tray to explain.
First create a srv request on you UC/CUCM/CUP then, paste that request to your CA.
Here later you will download the cert also.
Now you click on a Request a certificate. And on a next page "advanced... "
Paste the request. For User template choose Web Server.
Now download it.
And install it on your UC. Also you will have to install root cert also.
So this shouls be that.
When you start the jabber on a domain machine everything should work just fine.
If it's not... be free to ask again.
I'll deployed our self signed certificates using certutil.
certutil -f -addstore "trust" "\\server\Certificates\cert1.cer"
certutil -f -addstore "trust" "\\server\Certificates\cert2.cer"
certutil -f -addstore "trust" "\\server\Certificates\cert3.cer"
certutil -f -addstore "trust" "\\server\Certificates\cert4.sem"
J4W 9.2.6 seems to work quite good and stable. Now I will create a vb script that deletes the local photo cache, so the pictures are updated when changed on the website.
Come on Cisco, we are still waiting for call pickup feature and HL support.
i created the SSL certificate for the cucm-pub and sub and restarted the tomcat service
when the jabber client starts up it still shows up a mismatch for hte SSL certificate for hte cucm pub and sub
the certificate is for cucm-pub.domain.com and but the jabber client is expecting uk-cucm-sub (without .domain)
i cannot see how i can change the cucm-pub to be listed as cucm-pub.domain.com for the certificate mismatch to go away
funnily enough the mac client has no such issues and it loads the client just fine without complaining about the SSL certificates and happily accepts the cucm-pub.domain.com ssl certificates
Why doesn't the CISCO jabber client have CISCO root CA's built in? We are running with the webex connect hosted back end, this is an all Cisco solution. Why do I have to import root CA's from CUCM?
i replaced all the self signed certificates and replaced them with enterprise CA signed certificates for
cucm-pub (call manager)
cucm-sub (call manager)
cups-pub (presence server)
(all tomcat) and restarted the tomcat services on all these devices
on the cups-pub I also made the xmpp domain name changes (same domain as call manager. unity connection and windows domain) and created cup-xmpp and cup-xmpp-s2s certificates on the enterprise CA signed certificates and restarted the up xcp router service
when i start up the mac clients 9.2.1 everything works fine and all ssl certificates are automatically trusted.
on the windows client 9.2.6 it accepts the unity connection and presence server ssl certificates (quitely) but both call manager certificates brings up a prompt, but when you click on show certificate and click on certification path it shows the certificate is ok and trusted by the enterprise CA.
i checked the server names of the cucm boxes (uk-cucm-pub.domain.com and uk-cucm-sub.domain.com and all is fine
when i browse to the ccmadmin interface on those servers there is no SSL prompt and it shows the SSL certificate is trusted.
i am stumped, i could manually accept these certificates but i am trying to make this as seamless as possible for our end users (mac users are all happy)
any tricks or things to check?
It seams that this really doesn't work. I raised a bug regarding CUCM popup window. So we can track this issue. ID of a bug is CSCul27120
Hi, did you work out how to sign the cup-xmpp certificates? We are using a Windows 2008R2 Enterprise CA and I don't see any templates that match the intended purposes listed in the self-signed cup-xmpp certificate. I hesitate to use the Web-Server template like I did for the CUCM, CUC, and CUPS Tomcat certificates. We are running Presence 8.6.4. Thanks!
i have exactly same setup (2008 r2 enterprise CA and cups 8.6.4_ and used webserver template just like for tomcat certificates
i had same reservations but decided to bite the bullet and it worked out fine
I also ran into the issue of Jabber looking for the hostname and not the FQDN. Looks like you can add an alternative name to the web-security section of the CLI.
Here's the doc I'm referencing.
Basically had to specify the new cert info, including the optional alt name. Then I had to regenerate the certificates, download the CSR and import into Microsoft Cert services and download and install.
It all looks good, except for my three cup related certs. I've regenerated a few times and it keeps adding the following to alternative name, even after I specify the new one.
1) Server.domain.local (dNSName)
2) sip:CN=Server.domain.local (dNSName)
I need a third one to have
Still chugging on this.