Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
Bookmark
|
Subscribe
|
25891
Views
55
Helpful
15
Comments

How to change certificate information on CUCM using the "set web-security" command

pkinane
Cisco Employee
Cisco Employee

on ‎09-18-2020 11:19 AM

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

 

The set web-security CLI command will allow you to change the information displayed in show web-security which is also used on certificates. The show web-security CLI command will help you gather the information to use when executing the set web-security command.

 

show-web-sec.PNG

 

The help option when using the set web-security command (set web-security ?) will help you understand the order, and fields of the command. 

 

set-web-sec-question.PNG

 

The optional task of adding SANs

 

You can use the set web-security command to add additional CNs to the SAN section of the certificate if your server supports them.

 

NOTE: In versions below 10.5.1 you can have 1 SAN; however, support for Multi-server SANs was introduced in version 10.5.1.

 

The method for adding SANs using the CLI is not clear in the output of set web-security ? because you need to separate the different names using a comma. The other point, that is not made clear with that set web-security command, is that all of the names need to be a continuous string like such:

 

SAN.Number1.com,SANnumber2.com,SANnumber2.com

 

Also, I would like my Organization to be changed from TAC to Cisco TAC which (due to the space) needs to be encompassed by quotations like this: "Cisco TAC".

 

Below is a screenshot showing me executing the command to change my organization to Cisco TAC and to add Subject Alternate Names of my two CUCM subscribers:

 

 

 

NOTE: Please be sure to read all of the text in the output you receive before making an option when asked to proceed. 

 

 

 

Once complete, you will need to restart the Cisco Tomcat service on each node where you used the set web-security command. To restart the Cisco Tomcat service use the command utils service restart Cisco Tomcat.

 

This defect pertains to the inability to change the country:

https://tools.cisco.com/bugsearch/bug/CSCue76945

 

Once you have completed this you should see the changes when you use the command show web-security or when you look at your certificates/CSRs.

 

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

 

Labels:
Comments
Troy Jones
Level 1
Level 1
‎03-10-2016 11:56 AM

So, our Jabber clients reference the IP's of the clusters, but our signed tomcat certs are based off of the FQDN, therefore each person gets a security prompt to accept the certificates when they connect. This has prompted 1000's of tickets. I'm trying to create signed certs, but add the IP's as SAN entries.

We have mega clusters, up to 21 servers per cluster. When using the multi-server option, downloading the CSR to create a new signed certificate, there's no place to add additional SAN entries. in theory, I would like to add 21 IP addresses as SAN's entries.

Any ideas?

pkinane
Cisco Employee
Cisco Employee
‎03-10-2016 11:58 AM

What do you have listed under System -> server on the CUCM? Is it the IP addresses of the servers?

Troy Jones
Level 1
Level 1
‎03-10-2016 12:01 PM

Yes, the IP's are there, per Cisco recommendation to avoid DNS overload.

pkinane
Cisco Employee
Cisco Employee
‎03-10-2016 12:07 PM

To avoid the error you will need to list FQDN of the CUCM.

Troy Jones
Level 1
Level 1
‎03-10-2016 12:49 PM

But with our size of network, and previous DSN throttling issues, per the advice of the Cisco design engineers, we were told to use IP's.

We have 48 clusters, most of which are mega clusters (21 servers) and hundred's of thousands of end points. If we have an outage, even a small one, all those phones register via DNS and it's too much of a load.

pkinane
Cisco Employee
Cisco Employee
‎03-10-2016 01:08 PM

Are you using and internal or external CA to sign your certificates?

Aman Soi
VIP Alumni
VIP Alumni
‎03-11-2016 06:41 AM

[+5] Good DOC.

regds,

aman

pkinane
Cisco Employee
Cisco Employee
‎03-11-2016 06:59 AM

Thank you again, Aman.

Troy Jones
Level 1
Level 1
‎03-14-2016 05:36 AM

External CA source.

We may have figured out a way for this to work. Once we finishish testing, i'll put the info here.

pkinane
Cisco Employee
Cisco Employee
‎03-14-2016 06:05 AM

I know how to make it work; however, I didn't list that as an option because I highly recommend not doing it. If you are using third part CA signed certificates, they won't sign a CSR that has an IP address in it. This is why I highly recommend not doing this option. If someone is using an internal CA, this will come back and bit them in the future should they choose to go with an external CA. In your case, it will bite you sooner than later.

Troy Jones
Level 1
Level 1
‎03-14-2016 06:25 AM

Can you expand on this? We are getting over 9000 tickets a month and needing to fix this as soon as possible. I'd definitely like to hear the pro's and con's, and what the process is. We're going with trial and error at this point.

pkinane
Cisco Employee
Cisco Employee
‎05-02-2016 08:08 PM

This conversation was completed offline.

mwadam
Level 1
Level 1
‎08-31-2016 12:29 PM

Troy,  Would you mind explaining the solution?

geeta.kumari1
Level 1
Level 1
‎10-10-2016 07:39 AM

Hi All,

I was trying to add alternate hostname on CUCM 8.6.2 but it gives warning that license needs to be rehosted.

WARNING: Changing this setting will invalidate software license on this server. The license will have to be re-hosted.
Continue(y/n):

Will the license mac will be changed ?

CSR generated  from CUCM are having CN name as FQDN  and at customer side end user browse using only hostname, can some one guide me for an alternate solution.

Regards,

Geeta

rmoore4743
Level 1
Level 1
‎08-31-2017 06:36 AM

@Troy Jones

 

I know this is an old post, but wanted to add my 2 cents. You should be able to remedy this by downloading the existing self-signed certs from your servers and installing them in your end users trust store. This will get rid of the errors you are seeing when signing into Jabber. There is a way to push this change out to PC's though I am not familiar with that process.

 

Thank you.

 

Russell

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Top