cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CWMS SSL Certificates - Intermediate SSL cert chains and different CWMS versions

15845
Views
60
Helpful
51
Comments

As you have probably read in official documentation, CWMS needs valid SSL certs installed for normal operation. If you use default self-signed SSL certs, you will keep getting warnings and errors and won't be able to join any meetings before you import those self-signed SSL certs to your end point. 

To avoid this annoying behavior, you should obtain publicly signed SSL certs. You can use SAN (Subject Alternative Name) or Wildcard SSL certs. 

Most of the PCs have intermediate/root certs of all the major Certification Authorities already imported in the Trust stores, so when you upload a single publicly signed CWMS SSL cert to your CWMS solution, the PC and the web browser know how to validate such cert and all will appear to be just fine.

However, iOS and Android mobile devices might still have a problem validating just CWMS SSL cert and will report SSL cert errors even though a valid publicly signed SSL cert has been installed to CWMS. 

To prevent this from happening, you would like to ensure that CWMS offers a full SSL certificate chain to any end point accessing the solution. That means, you would like to have both CWMS SSL cert and CA's Intermediate SSL Certs bundled together and uploaded to CWMS. 

To successfully create this SSL certificate bundle, you can follow these tips.

 

After generating Certificate Signing Request (CSR) on CWMS, using that CSR you will reach out to Public Certification Authority and request SSL cert for your CWMS solution.

1. You will receive a single SERVER SSL cert file for all your CWMS components. This SSL cert file contains just one SSL cert that includes all Subject Alternative Names listed in the CSR you generated.

In CWMS 1.x and 2.0, this cert file is placed at the top of the SSL cert bundle. 
However, in CWMS 2.5 and later, this SSL cert is placed at the bottom of the SSL cert bundle.

2. You will also receive INTERMEDIATE SSL CERT bundle from CA. This bundle usually includes three SSL certificates:

TOP – Secondary Intermediate SSL cert
MIDDLE – Primary Intermediate SSL cert
BOTTOM – Root SSL cert   (you don't need Root SSL cert)

 

For a certificate chain to work properly, certs must be ordered sequentially like a daisy chain.

 

In CWMS 1.x and 2.0, the chain should look like this:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

 

Hence, to create SSL cert bundle on CWMS 1.x and 2.0 version levels, you would do the following:

A. Open SERVER SSL CERT in notepad,
B. Save the file as SSL cert bundle,
C. Open the INTERMEDIATE SSL CERT bundle in notepad,
D. Copy the top two SSL certs (secondary intermediate and primary intermediate) and paste these below SERVER SSL CERT as they are already in the correct order.
This action will create this required chain:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

E. Save this bundle and upload this bundle to your CWMS solution. 

 

In CWMS 2.5 and later versions, the chain is different and should look like this:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT

 

Hence, to create SSL cert bundle on CWMS 2.5 version level, you would follow these steps:


A. Open a new blank file in notepad,
B. Open INTERMEDIATE SSL CERT bundle in notepad,
C. Copy the Primary Intermediate (MIDDLE CERT in the INTERMEDIATE SSL CERT bundle file) to the top of the blank notepad file,

D. Copy the Secondary Intermediate (TOP CERT in the INTERMEDIATE SSL CERT bundle file) below Primary Intermediate in the blank notepad file,
E. Open SERVER SSL CERT in notepad and copy its content to the very bottom of blank notepad file.

This action will create this required chain:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT

SERVER SSL CERT


F. At this time, save this new bundle file as CWMS SSL cert bundle and upload it to the system.

 

 

In case the CSR file was created outside of CWMS solution, and you also have externally created PRIVATE KEY that you will also need to import to CWMS, PRIVATE KEY will ALWAYS (regardless of the version) be placed at the VERY TOP (above all certs) in CWMS SSL cert bundle. 

 

I hope this will help.

Comments
Contributor

Dejan,

Does that mean if we upgrade from 2.0 to 2.6 we will need to re-upload certificate in the format/order you have specified or is this only applicable to new install?

Thanks

Cisco Employee

Hi,

If the SSL cert is valid on 2.0 version, it will be just fine on after the update to 2.6. However, once the SSL cert expires, you will have to create a new CSR on CWMS, obtain the new SSL cert and then bundle it in the required order and upload to the system.

I hope this answers your question.

-Dejan

Enthusiast

You rock man.  I dont think I would have figured this out without your directions.

Cisco Employee

Thank you for the kind words. I am glad this was of help.

-Dejan

Beginner

Hi Dejan ,

Internal SSL certificate on my CWMS server is going to expire . I have received only the SSL certificate from CA and haven't received any intermediate certificate . Will there be any issue if I just upload the SSL certificate to CWMS server ? The CSR was generated from the CWMS server .

Thanks in advance

Regards,

Shibin

Cisco Employee

Hi Shibin,

Normally, CAs do have Intermediate SSL certs required. I would suggest reaching out to CA and confirming with them if they have corresponding Intermediate SSL certs for you to download.

You can upload just the server SSL cert to CWMS without issues, but any client that doesn't have intermediate SSL cert in their trust store won't be able to access the site or join meetings without getting a Certificate Validation Error.

Hence, I would strongly recommend you include intermediate SSL cert(s) into the cert bundle being uploaded to CWMS.

-Dejan 

Beginner

Hi Dejan ,

Thanks a lot for your quick response on this . I have received a link where I can download the Intermediate CA certificates . When I click on the link it asks me to select the server platform . Any idea which server platform do I  need to select . When I select cisco I can see only ASA 5520 as option .

Also since the CSR was generated from the CWMS server I don't need to include the private key in the certification bundle right ?

Regards,

Shibin

Cisco Employee

Hi Shibin,

Apache/Tomcat should be the platform.

-Dejan

Beginner

Thank you Dejan.

Hi Thanks for your document,

we also running Webex with Version 2.7.1.2066 and your instructions would be very helpful

when i  would have a CSR request on CWMS but what is, when i did  a CSR request on Cisco ASA 5515-x? In my situation i did it. I send this CSR request from ASA to Certifcate Authority and I received some certificates back. We ordered a wildcard certificat.

I received 4 files in .pem format.

- certificate.crt

- intermediate1.crt

- intermediate2.crt

- root.crt

I installed certificate.crt on ASA under identity certificate section and the other under CA certificates.

All is fine and its works. I export this identity certificate as PKCS12 format and installed this on other ASA, also fine.

I would installed this same on CWMS (internal/external certificate) but i got this error message ever and ever.

PKCS12 archive cannot be decrypted using the passphrase. Please retry using a different PKCS12 archive

So i dont know, if have all make correctly or maybe iam so stupid??

Iam not an expert for certificates topics etc..

regards

Matthias

Cisco Employee

Hi Matthias,

I've seen this kind of issues with PKCS12 files. 

Can you try to convert this file into PEM file (maybe use something like this: https://www.sslshopper.com/ssl-converter.html)

Once you have the PEM file, then use the content of that file to create a new file and bundle Private Key, Intermediate SSL certs and Wildcard SSL cert into a single file.

To do this, open your converted PEM file in Notepad.

Also, open a new file in Notepad.

To a new file, first copy the PRIVATE KEY content to the top of the file:

----BEGIN RSA PRIVATE KEY----

fdgsdfgdhgfhd

----END RSA PRIVATE KEY---

Then, right below it, copy the Primary Intermediate SSL cert

----BEGIN SSL CERTIFICATE----

primaryfgdgfddghfgh

----END SSL CERTIFICATE-----

Below it, copy the Secondary Intermediate SSL cert

----BEGIN SSL CERTIFICATE----

secondaryjhghghhghghg

----END SSL CERTIFICATE-----

And finally, at the bottom of the file, copy Wildcard SSL cert content:

----BEGIN SSL CERTIFICATE----

wildcardcbcbcbbcbcbcb

----END SSL CERTIFICATE-----

When you are finished copying this to a new file, your new file should look like this:

----BEGIN RSA PRIVATE KEY----
fdgsdfgdhgfhd
----END RSA PRIVATE KEY---
----BEGIN SSL CERTIFICATE----
primarygdgfddghfgh
----END SSL CERTIFICATE-----
----BEGIN SSL CERTIFICATE----
secondaryhghghhghghg
----END SSL CERTIFICATE-----
----BEGIN SSL CERTIFICATE----
wildcardcbcbcbbcbcbcb
----END SSL CERTIFICATE-----

Save this new bundle file as .cer file and upload it to CWMS.

Let me know if this helps.

-Dejan

Hi Dejan,

thanks for your answer so quickly.

I tried to convert this PKCS12 file to PEM with your linked site but I got an error message

"There was a problem converting that certificate. The password you entered may have been incorrect. If you are sure it is correct, try converting the file on your own machine using the commands below."

Also when is use open ssl to convert file, same problem.

So but i can also export certificate from ASA as.PEM file.

I did it and I created the bundle file then i uploaded this to CWMS but....

this error message is came: "Not a valid certificate file. X.509 certificates with PEM and DER encoding and PKCS12 Archives are supported."

I saved this bundle file as .cer and .crt but with both I got this error.

Any idea?

Cisco Employee

Is there a way to export private key from ASA to a PEM file and then download Intermediate and Wildcard SSL cert from Certification Authority directly?

-Dejan

Hi Dejan,

iam not sure. With command "show crypto key mypubkey rsa" I can see which KEy pair is generated with key name "Trustpointxxx" for csr request but i am not sure if this the private key is.

Directly download of certificate isn`t possible. :(

And i checked the mail what i received from Certificate Authority. In this Mail was attached a zip file and certificate in text format.

the contents of zip file:

- Linux (pem+cabundle)
- - cert.cabundle ---> (containing COMODO RSA Domain Validation Secure Server CA and COMODO RSA Certification Authority)
- - certificate.crt ---> (containing *.ourdomain.com)
- Plesk (Certificate+CACertificate)
- - cacertcertificate.crt ---> (containing COMODO RSA Domain Validation Secure Server CA and COMODO RSA Certification Authority)
- - certificate.crt ---> (containing *.ourdomain.com)
- Windows (pem)
- - intermediate2.crt ---> (containing COMODO RSA Certification Authority)
- - intermediate1.crt ---> (containing COMODO RSA Domain Validation Secure Server CA)
- - certificate.crt ---> (containing *.ourdomain.com)
- other (pem)
- - root.crt ---> (containing AddTrust External CA Root)
- - intermediate2.crt ---> (containing COMODO RSA Certification Authority)
- - intermediate1.crt ---> (containing COMODO RSA Domain Validation Secure Server CA)
- - certificate.crt ---> (containing *.ourdomain.com)
- other (pkcs7)
- - certificate.cer ---> (containing all certificate)

And the certificates in text form are:

- PositiveSSL Wildcard Certificate for *.ourdomain

- COMODO RSA Domain Validation Secure Server CA Intermediate Certificate

- COMODO RSA Certification Authority Intermediate Certificate

- AddTrust External CA Root Root Certificate

I tried to create a bundle today again with certificates in text form.

one with your certifacte chain with

----BEGIN RSA PRIVATE KEY----
fdgsdfgdhgfhd
----END RSA PRIVATE KEY---
----BEGIN SSL CERTIFICATE----
primarygdgfddghfgh
----END SSL CERTIFICATE-----
----BEGIN SSL CERTIFICATE----
secondaryhghghhghghg
----END SSL CERTIFICATE-----
----BEGIN SSL CERTIFICATE----
wildcardcbcbcbbcbcbcb
----END SSL CERTIFICATE-----

Here i got these Error Message:

Not a valid certificate file. X.509 certificates with PEM and DER encoding and PKCS12 Archives are supported.

Then i create a second file with this chain:

----BEGIN RSA PRIVATE KEY----
jpojpjpjjp
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
hohhphhppo
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ojpjpojpjpjp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
jpjpojpjpj
-----END CERTIFICATE-----

Here i got these error message:

The certificates do not form a valid certificate chain

Both chain was builded in this order:

1. Private Key

2. COMODO RSA Domain Validation Secure Server CA Intermediate Certificate

3. COMODO RSA Certification Authority Intermediate Certificate

4. PositiveSSL Wildcard Certificate for *.ourdomain

Sorry for my difficult case :(

regards

Matthias

Cisco Employee

Hi Matthias,

For the bundle you created where you got an error "the certificates do not form a valid certificate chain", can you try to swap intermediate SSL certs order

1. Private Key

2. COMODO RSA Certification Authority Intermediate Certificate

3. COMODO RSA Domain Validation Secure Server CA Intermediate Certificate

4. PositiveSSL Wildcard Certificate for *.ourdomain

and try it that way?

-Dejan