Add Ip address on CUCM SAN certificate

nicanor00 · ‎04-26-2021

Hi

I have CUCM 12.5 and my CA

For internal purpose, I need to add IP address as SAN on the certificat

How can I do it ?

Nithin Eluvathingal · ‎04-26-2021

You can add the IP address in CN field.

output of csr decoder(online tools) to see the csr details

On CUCM while generating csr I added common name As ip address

nicanor00 · ‎04-26-2021

Hi and thanks for your answer

It look like we dont have the same interface, anyway we have the same menu

I need to generate CSR for : tomcat, call manager and IPsec

I have CUCM and IM&P (suscriber and publicher on each)

the CUCM name is ABCD.tomato.com

the domain name is tomato.com

The ip adress of the CUCM is 192.168.0.1

My CA accept only one unique common name, so it can not accept 2 CSR with the same common name

When I put ip adress of the CUCM in the SAN, it doenst accept

I my situation, Please how Can I add ip adress in the SAN ?

Thanks

Nithin Eluvathingal · ‎04-26-2021

We both have same interface. Add the IP in common name and add FQDN on SAN

VON CLAWSON · ‎04-27-2021

Great answer by Nithin above. Just remember that you can add more than one SAN separated by a comma. So if your Signing Authority returns the Certificate with the top level domain or www on the front(GoDaddy), you can add more SAN's in that field.

Please rate if this helps.

nicanor00 · ‎04-28-2021

Hi all

Thanks for your answer

I need to generate 3 CSR : tomcat, ipsec and call manager

My CA cannot accept 2 CSR with the same common name (same cucm ip adress) for all those 3 CSR

So please how can I manage it ?

Nithin Eluvathingal · ‎04-28-2021

I never seen such an issue that My CA cannot accept 2 CSR with the same common name. I have renewed CSR for all the services you mentioned, and my server team was able to sign it using Microsoft CA for all individual CSR.

Vinod16 · ‎05-01-2022

@Nithin Eluvathingal Hi nithin,

I am adding IP in CN and IN SAN - parent domain ( domain , FQDN cucm) but getting error while generating Cert.

Invalid Parent Domain. Please use a standard domain format.

CUCM 12.5

b.winter · ‎05-02-2022

You cannot enter an IP address in the field parent domain as a SAN entry. As already written by @Nithin Eluvathingal

Nithin Eluvathingal · ‎05-03-2022

You cant add the IP on the parent domain.

NggTgg316 · ‎09-19-2022

Like I'm also having the same problem. I also tried to create a CSR with Distribution as "Multi-server" but don't know how to add IP addresses to the SAN field. Can you share with me how to do it properly, please?

b.winter · ‎09-19-2022

If you would read carefully, then your question would be unnecessary:
"You cannot enter an IP address in the field parent domain as a SAN entry."

Roger Kallberg · ‎09-19-2022

As @b.winter and @Nithin Eluvathingal already have written you cannot add IP addresses to the CSR. It is not intended to work as it is not a proper thing to do in a certificate. It should only contain FQDNs and DNS domains.

j.a.m.e.s · ‎06-09-2025

In fact the comments from @b.winter and @Nithin Eluvathingal say IP addresses cannot be added to the parent domain field.

IP addresses in the SAN field are a proper thing to do: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6

When the subjectAltName extension contains an iPAddress, the address MUST be stored in the octet string in "network byte order", as
specified in [RFC791].

It seems that Cisco UC products don't really support the RFC correctly, but we seem to be having some success with IP addresses listed under the "set web-security", it's just that they show up in the SAN field of the CSR as dNSName (The Cisco Generate CSR GUI doesn't even show them but they appear in the CSR file!). AFAIK this isn't really following the RFC, but in reality it appears to work.

If Cisco doesn't support IP addresses in SANs, this makes me think their voice products will fail should DNS go down. That is not a behaviour we want from a phone system.

ucanduc · ‎07-23-2025

There's a way to generate a CSR (yet unsupported) from CUCM with IP addresses as SANs. The limitation is that the SAN will be marked as a DNS SAN (and not IPAddress SAN)

For this, I needed to use the Devtools of the browser (Chrome for example) to override the content of a web page while browsing it.

In fact the page certificategeneratenewcsr.do blocks inputting IP addresses only in GUI but works perfectly fine when generating thé CSR and following that importing the certificats.

The JS page certificategeneratenewcsr.do contains a JS function called ValidateDomain which basically checks the input against a RegEx which only allows FQDNs and not IP addresses. You can shunt that function by putting "return true" just before the "return status".

Then you can input IP addresses (and basically everything you want), and you assume responsibility on checking the input at this point.

I had to do this because our system uses IP Addresses, we were not willing to switch CUCM nodes to FQDN, and we suffered from a Certificate alert error in Jabber. (Bug for Home UDS returning IP Addresses in thé list of servers).

Putting the IP address in Common Name is not viable for us because it means we dump the single cluster-wide MultiSAN certificate and get back to a per-server certificate schema (not good).

Providing the certificate with IP Addresses as DNS SANs actually solved the Jabber certificate alert and now showing VALID with Ctrl+Shift+D

I don't know why Cisco doesn't support IP Addresses in CUCM SANs and clearly it's only CUCM GUI which blocks that through JS. Otherwise, the CSR generator engine and certificate import works pretty well with IPs as DNS SANs.