Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
24346
Views
60
Helpful
51
Comments

CWMS SSL Certificates - Intermediate SSL cert chains and different CWMS versions

dpetrovi
Cisco Employee
Cisco Employee

‎12-03-2014 01:45 PM - edited ‎03-12-2019 10:12 AM

As you have probably read in official documentation, CWMS needs valid SSL certs installed for normal operation. If you use default self-signed SSL certs, you will keep getting warnings and errors and won't be able to join any meetings before you import those self-signed SSL certs to your end point. 

To avoid this annoying behavior, you should obtain publicly signed SSL certs. You can use SAN (Subject Alternative Name) or Wildcard SSL certs. 

Most of the PCs have intermediate/root certs of all the major Certification Authorities already imported in the Trust stores, so when you upload a single publicly signed CWMS SSL cert to your CWMS solution, the PC and the web browser know how to validate such cert and all will appear to be just fine.

However, iOS and Android mobile devices might still have a problem validating just CWMS SSL cert and will report SSL cert errors even though a valid publicly signed SSL cert has been installed to CWMS. 

To prevent this from happening, you would like to ensure that CWMS offers a full SSL certificate chain to any end point accessing the solution. That means, you would like to have both CWMS SSL cert and CA's Intermediate SSL Certs bundled together and uploaded to CWMS. 

To successfully create this SSL certificate bundle, you can follow these tips.

 

After generating Certificate Signing Request (CSR) on CWMS, using that CSR you will reach out to Public Certification Authority and request SSL cert for your CWMS solution.

1. You will receive a single SERVER SSL cert file for all your CWMS components. This SSL cert file contains just one SSL cert that includes all Subject Alternative Names listed in the CSR you generated.

In CWMS 1.x and 2.0, this cert file is placed at the top of the SSL cert bundle. 
However, in CWMS 2.5 and later, this SSL cert is placed at the bottom of the SSL cert bundle.

2. You will also receive INTERMEDIATE SSL CERT bundle from CA. This bundle usually includes three SSL certificates:

TOP – Secondary Intermediate SSL cert
MIDDLE – Primary Intermediate SSL cert
BOTTOM – Root SSL cert   (you don't need Root SSL cert)

 

For a certificate chain to work properly, certs must be ordered sequentially like a daisy chain.

 

In CWMS 1.x and 2.0, the chain should look like this:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

 

Hence, to create SSL cert bundle on CWMS 1.x and 2.0 version levels, you would do the following:

A. Open SERVER SSL CERT in notepad,
B. Save the file as SSL cert bundle,
C. Open the INTERMEDIATE SSL CERT bundle in notepad,
D. Copy the top two SSL certs (secondary intermediate and primary intermediate) and paste these below SERVER SSL CERT as they are already in the correct order.
This action will create this required chain:

SERVER SSL CERT
SECONDARY INTERMEDIATE SSL CERT
PRIMARY INTERMEDIATE SSL CERT

E. Save this bundle and upload this bundle to your CWMS solution. 

 

In CWMS 2.5 and later versions, the chain is different and should look like this:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT

 

Hence, to create SSL cert bundle on CWMS 2.5 version level, you would follow these steps:


A. Open a new blank file in notepad,
B. Open INTERMEDIATE SSL CERT bundle in notepad,
C. Copy the Primary Intermediate (MIDDLE CERT in the INTERMEDIATE SSL CERT bundle file) to the top of the blank notepad file,
D. Copy the Secondary Intermediate (TOP CERT in the INTERMEDIATE SSL CERT bundle file) below Primary Intermediate in the blank notepad file,
E. Open SERVER SSL CERT in notepad and copy its content to the very bottom of blank notepad file.

This action will create this required chain:

PRIMARY INTERMEDIATE SSL CERT
SECONDARY INTERMEDIATE SSL CERT
SERVER SSL CERT


F. At this time, save this new bundle file as CWMS SSL cert bundle and upload it to the system.

 

 

In case the CSR file was created outside of CWMS solution, and you also have externally created PRIVATE KEY that you will also need to import to CWMS, PRIVATE KEY will ALWAYS (regardless of the version) be placed at the VERY TOP (above all certs) in CWMS SSL cert bundle. 

 

I hope this will help.

Labels:
Comments
matthias.normann_2
Level 1
Level 1
‎05-04-2017 05:46 AM

Hi Dejan,

so ok i think we have the correct certificate chain because this message isnt coming more but new error message. :(

see here:  The private key cannot be decrypted using the provided passphrase

Very strange. I have to find out which password is used for private key.

regards

Matthias

dpetrovi
Cisco Employee
Cisco Employee
‎05-04-2017 05:49 AM

Hi Matthias, 

Do you know if you used any passphrase when creating CSR on ASR? I am not familiar with the process of CSR creation on ASR. 

Also, the private key should be in pem format and decrypted before even being placed to this cert bundle for upload to CWMS. 

I hope this helps.

-Dejan

matthias.normann_2
Level 1
Level 1
‎05-04-2017 06:01 AM

Hi Dejan,

no for csr request, you dont need a passphrase or you cant set any passphrase.

When i create csr request on ASA, he give me also the info thats a PKCS10 enrollment request (CSR).....

It is only one file with content:

-----BEGIN CERTIFICATE REQUEST----

dgasdgohdasogiho

-----END CERTIFICATE REQUEST-----

Maybe i will find anything about Cisco ASA and Certificate request and the private keys.

But thanks for your great support.

regards

Matthias

matthias.normann_2
Level 1
Level 1
‎05-11-2017 12:50 AM

Hi Dejan,

so now i could resolved my problem.

I exported the PKCS12 file from my ASA again with format .pfx

Nest Step; i used OpenSSL 32bit version to get the private key.

following commands i used:

openssl.exe base64 -in GSC.pfx -d -out GSC.bin

openssl.exe pkcs12 -in GSC.bin -nocerts -out GSC.key

openssl.exe pkcs12 -in GSC.bin -nokeys -out GSC.crt

now I have two files. SSL Certificate and private key.

I created a new file Wildcard.cer with contents:

-----BEGIN ENCRYPTED PRIVATE KEY-----

skdhgfohsdgh

-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----

dufohsdgos

-----END CERTIFICATE-----

These new file imported to Cisco Webex.

This was successfully :)

Thanks again.

regards

Matthias

 

dpetrovi
Cisco Employee
Cisco Employee
‎05-11-2017 05:19 AM

Thank you for the update, Matthias. I am glad you were able to extract the information from the PFX successfully, and thanks for sharing the steps.

I am glad to hear you were able to resolve this issue and upload the SSL certs to CWMS.

-Dejan

lgarstin
Level 1
Level 1
‎09-12-2017 10:48 AM

Hi Dejan,

 

We're running version 2.8 security patch 1, and are having some strange SSL cert issues.

 

Our internal VMs are on a separate internal domain, so we utilize an external SSL cert for my webex site URL.  The problem we're having appears to be related to our internal CA-signed  certificate.  A small subset of our internal users are recieving a warning when entering a meeting room.  I've attached a screenshot to illustrate this (ssl1.png).  When the user clicks OK they recieve the error attached in the second screenshot (ssl2.png).  This appears to be effecting the functionality of sharing a webcam and the ability to call in to the meeting with computer audio.

I can happily share with you any certs that might help resolve this issue.

 

Thanks

 

-Lee

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents