As you have probably read in official documentation, CWMS needs valid SSL certs installed for normal operation. If you use default self-signed SSL certs, you will keep getting warnings and errors and won't be able to join any meetings before you import those self-signed SSL certs to your end point.
To avoid this annoying behavior, you should obtain publicly signed SSL certs. You can use SAN (Subject Alternative Name) or Wildcard SSL certs.
Most of the PCs have intermediate/root certs of all the major Certification Authorities already imported in the Trust stores, so when you upload a single publicly signed CWMS SSL cert to your CWMS solution, the PC and the web browser know how to validate such cert and all will appear to be just fine.
However, iOS and Android mobile devices might still have a problem validating just CWMS SSL cert and will report SSL cert errors even though a valid publicly signed SSL cert has been installed to CWMS.
To prevent this from happening, you would like to ensure that CWMS offers a full SSL certificate chain to any end point accessing the solution. That means, you would like to have both CWMS SSL cert and CA's Intermediate SSL Certs bundled together and uploaded to CWMS.
To successfully create this SSL certificate bundle, you can follow these tips.
After generating Certificate Signing Request (CSR) on CWMS, using that CSR you will reach out to Public Certification Authority and request SSL cert for your CWMS solution.
1. You will receive a single SERVER SSL cert file for all your CWMS components. This SSL cert file contains just one SSL cert that includes all Subject Alternative Names listed in the CSR you generated.
In CWMS 1.x and 2.0, this cert file is placed at the top of the SSL cert bundle. However, in CWMS 2.5 and later, this SSL cert is placed at the bottom of the SSL cert bundle.
2. You will also receive INTERMEDIATE SSL CERT bundle from CA. This bundle usually includes three SSL certificates:
Hence, to create SSL cert bundle on CWMS 1.x and 2.0 version levels, you would do the following:
A. Open SERVER SSL CERT in notepad, B. Save the file as SSL cert bundle, C. Open the INTERMEDIATE SSL CERT bundle in notepad, D. Copy the top two SSL certs (secondary intermediate and primary intermediate) and paste these below SERVER SSL CERT as they are already in the correct order. This action will create this required chain:
Hence, to create SSL cert bundle on CWMS 2.5 version level, you would follow these steps:
A. Open a new blank file in notepad, B. Open INTERMEDIATE SSL CERT bundle in notepad, C. Copy the Primary Intermediate (MIDDLE CERT in the INTERMEDIATE SSL CERT bundle file) to the top of the blank notepad file, D. Copy the Secondary Intermediate (TOP CERT in the INTERMEDIATE SSL CERT bundle file) below Primary Intermediate in the blank notepad file, E. Open SERVER SSL CERT in notepad and copy its content to the very bottom of blank notepad file.
F. At this time, save this new bundle file as CWMS SSL cert bundle and upload it to the system.
In case the CSR file was created outside of CWMS solution, and you also have externally created PRIVATE KEY that you will also need to import to CWMS, PRIVATE KEY will ALWAYS (regardless of the version) be placed at the VERY TOP (above all certs) in CWMS SSL cert bundle.