How to change certificate information on CUCM using the "set web-security" command

pkinane · ‎09-18-2020

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

The set web-security CLI command will allow you to change the information displayed in show web-security which is also used on certificates. The show web-security CLI command will help you gather the information to use when executing the set web-security command.

The help option when using the set web-security command (set web-security ?) will help you understand the order, and fields of the command.

The optional task of adding SANs

You can use the set web-security command to add additional CNs to the SAN section of the certificate if your server supports them.

NOTE: In versions below 10.5.1 you can have 1 SAN; however, support for Multi-server SANs was introduced in version 10.5.1.

The method for adding SANs using the CLI is not clear in the output of set web-security ? because you need to separate the different names using a comma. The other point, that is not made clear with that set web-security command, is that all of the names need to be a continuous string like such:

SAN.Number1.com,SANnumber2.com,SANnumber2.com

Also, I would like my Organization to be changed from TAC to Cisco TAC which (due to the space) needs to be encompassed by quotations like this: "Cisco TAC".

Below is a screenshot showing me executing the command to change my organization to Cisco TAC and to add Subject Alternate Names of my two CUCM subscribers:

NOTE: Please be sure to read all of the text in the output you receive before making an option when asked to proceed.

Once complete, you will need to restart the Cisco Tomcat service on each node where you used the set web-security command. To restart the Cisco Tomcat service use the command utils service restart Cisco Tomcat.

This defect pertains to the inability to change the country:

https://tools.cisco.com/bugsearch/bug/CSCue76945

Once you have completed this you should see the changes when you use the command show web-security or when you look at your certificates/CSRs.

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

Troy Jones · ‎03-10-2016

So, our Jabber clients reference the IP's of the clusters, but our signed tomcat certs are based off of the FQDN, therefore each person gets a security prompt to accept the certificates when they connect. This has prompted 1000's of tickets. I'm trying to create signed certs, but add the IP's as SAN entries.

We have mega clusters, up to 21 servers per cluster. When using the multi-server option, downloading the CSR to create a new signed certificate, there's no place to add additional SAN entries. in theory, I would like to add 21 IP addresses as SAN's entries.

Any ideas?

pkinane · ‎03-10-2016

What do you have listed under System -> server on the CUCM? Is it the IP addresses of the servers?

Troy Jones · ‎03-10-2016

Yes, the IP's are there, per Cisco recommendation to avoid DNS overload.

pkinane · ‎03-10-2016

To avoid the error you will need to list FQDN of the CUCM.

Troy Jones · ‎03-10-2016

But with our size of network, and previous DSN throttling issues, per the advice of the Cisco design engineers, we were told to use IP's.

We have 48 clusters, most of which are mega clusters (21 servers) and hundred's of thousands of end points. If we have an outage, even a small one, all those phones register via DNS and it's too much of a load.

pkinane · ‎03-10-2016

Are you using and internal or external CA to sign your certificates?

Aman Soi · ‎03-11-2016

[+5] Good DOC.

regds,

aman

pkinane · ‎03-11-2016

Thank you again, Aman.

Troy Jones · ‎03-14-2016

External CA source.

We may have figured out a way for this to work. Once we finishish testing, i'll put the info here.

pkinane · ‎03-14-2016

I know how to make it work; however, I didn't list that as an option because I highly recommend not doing it. If you are using third part CA signed certificates, they won't sign a CSR that has an IP address in it. This is why I highly recommend not doing this option. If someone is using an internal CA, this will come back and bit them in the future should they choose to go with an external CA. In your case, it will bite you sooner than later.

Troy Jones · ‎03-14-2016

Can you expand on this? We are getting over 9000 tickets a month and needing to fix this as soon as possible. I'd definitely like to hear the pro's and con's, and what the process is. We're going with trial and error at this point.

pkinane · ‎05-02-2016

This conversation was completed offline.

mwadam · ‎08-31-2016

Troy, Would you mind explaining the solution?

geeta.kumari1 · ‎10-10-2016

Hi All,

I was trying to add alternate hostname on CUCM 8.6.2 but it gives warning that license needs to be rehosted.

WARNING: Changing this setting will invalidate software license on this server. The license will have to be re-hosted.
Continue(y/n):

Will the license mac will be changed ?

CSR generated from CUCM are having CN name as FQDN and at customer side end user browse using only hostname, can some one guide me for an alternate solution.

Regards,

Geeta

rmoore4743 · ‎08-31-2017

@Troy Jones,

I know this is an old post, but wanted to add my 2 cents. You should be able to remedy this by downloading the existing self-signed certs from your servers and installing them in your end users trust store. This will get rid of the errors you are seeing when signing into Jabber. There is a way to push this change out to PC's though I am not familiar with that process.

Thank you.

Russell