cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CWMS SSL Certificates - Intermediate SSL cert chains and different CWMS versions

17821
Views
60
Helpful
51
Comments

As you have probably read in official documentation, CWMS needs valid SSL certs installed for normal operation. If you use default self-signed SSL certs, you will keep getting warnings and errors and won't be able to join any meetings before you import those self-signed SSL certs to your end point. 

To avoid this annoying behavior, you should obtain publicly signed SSL certs. You can use SAN (Subject Alternative Name) or Wildcard SSL certs. 

Most of the PCs have intermediate/root certs of all the major Certification Authorities already imported in the Trust stores, so when you upload a single publicly signed CWMS SSL cert to your CWMS solution, the PC and the web browser know how to validate such cert and all will appear to be just fine.

However, iOS and Android mobile devices might still have a problem validating just CWMS SSL cert and will report SSL cert errors even though a valid publicly signed SSL cert has been installed to CWMS. 

To prevent this from happening, you would like to ensure that CWMS offers a full SSL certificate chain to any end point accessing the solution. That means, you would like to have both CWMS SSL cert and CA's Intermediate SSL Certs bundled together and uploaded to CWMS. 

To successfully create this SSL certificate bundle, you can follow these tips.

 

After generating Certificate Signing Request (CSR) on CWMS, using that CSR you will reach out to Public Certification Authority and request SSL cert for your CWMS solution.

1. You will receive a single SERVER SSL cert file for all your CWMS components. This SSL cert file contains just one SSL cert that includes all Subject Alternative Names listed in the CSR you generated.

In CWMS 1.x and 2.0, this cert file is placed at the top of the SSL cert bundle. 
However, in CWMS 2.5 and later, this SSL cert is placed at the bottom of the SSL cert bundle.

2. You will also receive INTERMEDIATE SSL CERT bundle from CA. This bundle usually includes three SSL certificates:

TOP – Secondary Intermediate SSL cert
MIDDLE – Primary Intermediate SSL cert
BOTTOM – Root SSL cert   (you don't need Root SSL cert)

 

For a certificate chain to work properly, certs must be ordered sequentially like a daisy chain.

 

In CWMS 1.x and 2.0, the chain should look like this:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

 

Hence, to create SSL cert bundle on CWMS 1.x and 2.0 version levels, you would do the following:

A. Open SERVER SSL CERT in notepad,
B. Save the file as SSL cert bundle,
C. Open the INTERMEDIATE SSL CERT bundle in notepad,
D. Copy the top two SSL certs (secondary intermediate and primary intermediate) and paste these below SERVER SSL CERT as they are already in the correct order.
This action will create this required chain:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

E. Save this bundle and upload this bundle to your CWMS solution. 

 

In CWMS 2.5 and later versions, the chain is different and should look like this:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT

 

Hence, to create SSL cert bundle on CWMS 2.5 version level, you would follow these steps:


A. Open a new blank file in notepad,
B. Open INTERMEDIATE SSL CERT bundle in notepad,
C. Copy the Primary Intermediate (MIDDLE CERT in the INTERMEDIATE SSL CERT bundle file) to the top of the blank notepad file,

D. Copy the Secondary Intermediate (TOP CERT in the INTERMEDIATE SSL CERT bundle file) below Primary Intermediate in the blank notepad file,
E. Open SERVER SSL CERT in notepad and copy its content to the very bottom of blank notepad file.

This action will create this required chain:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT

SERVER SSL CERT


F. At this time, save this new bundle file as CWMS SSL cert bundle and upload it to the system.

 

 

In case the CSR file was created outside of CWMS solution, and you also have externally created PRIVATE KEY that you will also need to import to CWMS, PRIVATE KEY will ALWAYS (regardless of the version) be placed at the VERY TOP (above all certs) in CWMS SSL cert bundle. 

 

I hope this will help.

Comments
Hall of Fame Master

Dejan,

 

I am trying to follow this process on CWMS 2.5MR6 deployment and I keep getting "The certificates do not form a valid certificate chain." when the cert extension is .cer, etc.  When I save it as .p12 I get "PKCS12 archive cannot be decrypted using the passphrase. Please retry using a different PKCS12 archive".  Where would I get the passphrase from if customer just forwarded me the signed SAN cert along with Intermediate from which I extracted the root and bundled into one file as directed.

Cisco Employee

Hi Chris,

You shouldn't need root certificate included in the bundle. Only Primary intermediate, Secondary intermediate, and SAN cert should be in the bundle and in this order:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT

I normally use them in PEM format (not sure in what format you received the cert from the CA). If it is not in PEM format, you can convert it by using SSL Shopper Cert Converter tool: https://www.sslshopper.com/ssl-converter.html . Once you have it in PEM format, you can copy the content of the certs into the bundle, and then upload to CWMS.

Without having a look at the certs, it is hard to identify what needs to be corrected. 

-Dejan

Hall of Fame Master

Running them through the ssl-converter confirms these are .pem (they are .crt extension). I received 3 certs from customer:

  1. sfig2.crt
  2. sf_bundle-g2-g1.crt
  3. signedcert.crt

looking at the first 2 I see they are identical, so not sure its purpose.  Their chain shows:

-Starield Root Certificate Authority - G2

-- Starield Secure Certificate Authority - G2

So, I tried bundling one of them along with the signed certs, saved as .pem and received "invalid chain", I also tried with exported root and get the same result.  What am I missing?

I've attached the signed cert, if that helps.

 

Cisco Employee

Hi Chris,

Can you please share with me the sf_bundle-g2-g1.crt as well?

Thank you.

-Dejan

Cisco Employee

Hi Chris,

 

Based on GoDaddy repository, I downloaded sf_bundle-g2-1.crt (https://certs.godaddy.com/repository). If this is the same file you have, in this file you have 3 certs:

TOP CERT- Secondary Intermediate

MIDDLE CERT - Primary Intermediate (or might be even root) certificate

BOTTOM CERT - Top level root certificate

 

I would try creating the following change based on some certs in this bundle and your server SAN cert:

BUNDLE 1:

MIDDLE CERT from the sf_bundle-g2-1.crt bundle

TOP CERT from the sf_bundle-g2-1.crt bundle

SAN CERT from c7241d8979d076e3.crt_.txt

BUNDLE 2:

TOP CERT from the sf_bundle-g2-1.crt bundle

SAN CERT from c7241d8979d076e3.crt_.txt

 

Try BUNDLE 1 first and let see if it works.

 

With intermediate cert chains there is always a little bit of guessing game going on as each CA sends those bundles in a different order, so I try to decode each cert in the bundle to understand the hierarchy better.

-Dejan

Hi,

 

can you please tell me what is the format of the file i should save my notpad too , is it .pem or what,

 

Note : im using WebEX 2.5

 

Thanks

Cisco Employee

Hi Oussama,

 

Are you talking about file extension or the actual content of the cert and the format it is displayed in?

As long as the cert is in PEM format (-----BEING CERTIFICATE-----  . . . -----END CERTIFICATE----), you can save the file as .pem, .txt, .cer . All these extensions should be fine.

-Dejan

Hi dpetrovi,

 

  • yes im talking about the extention that should be uploaded to the WebEX?,

 

knowing that the file countent is (-----BEING CERTIFICATE-----  . . . -----END CERTIFICATE----)

 

please can you confrim,

 

  • and is the chain or bundling the certs the same for Wildcards and SAN?

 

Thanks,

Cisco Employee

Hi Oussama,

As long as the content of the cert file is in PEM format, extensions can be .pem, .cer, .txt. All these should be fine. 

 

As for the bundle, it is no just Wildcard or SAN cert. 

Bundle is consisted of the content of the Wildcard or SAN cert and the INTERMEDIATE (Primary and Secondary) SSL certs you get from your Certification Authority. Intermediate SSL certs are needed for a successful validation of the Wildcard/SAN cert against the ROOT SSL cert of the Certification Authority. 

Please, check the main article on the top for details about bundling and also some comments to Chris below that might help you in understanding the bundling principles.

I hope this will help.

-Dejan

Thanks dpetrovi,

 

 

iv'e read the hole article i just some little details to confirm, thanks a lot for your help

 

Cheers

Hall of Fame Master

Dejan,

First bundle worked great, thank you.

I have a follow up question, I applied this cert as Internal cert, it has SANs for admin servers hostnames, webex admin URL and external URL, with previous versions of CWMS this single cert would have been sufficient, but now I have External Cert as well.  Do I need a separate SAN cert for that, alternatively can I apply wildcard cert as external cert which covers the webex URL domain (my servers are in different domain than URLs)?

Cisco Employee

Hi Chris,

 

You don't need External cert. External cert covers only WebEx Site URL, and it is meant for use in cases the customer have internal VMs using internal domains .internal or .local, because CA won't issue SSL certs for internal domains any longer. Hence, External cert would allow customers to use self-signed SSL certs for internal VMs, while using a singed SSL cert for WebEx Site URL. 

This can also be a cost saving option, in case the customer has internal CA that can issue certs for internal components, and then use External cert option to only buy Public CA cert for their WebEx Site.

-Dejan

Enthusiast

This worked for me.

Thanks for the information.

Jason

Hi Dejan,

Thank for this helpfull explaination.

This is alway avalaible for 2.6 version ?

Thank for your answer.

Philippe.

Cisco Employee

Hi Philippe,

Yes, it is the same in 2.6 version. I will update the document.

-Dejan

Content for Community-Ad