cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1377
Views
0
Helpful
8
Replies

CA signed Cert for CUCM 10.5

chrisnoon11
Level 1
Level 1

I have a CUCM 10.5.2 cluster that is currently using self signed tomcat cert. I need to obtain and install a CA signed tomcat cert for the publisher, however the CA will only issue certificates with FQDN's in CN and/or SAN. Unfortunately, no matter what I do, the CSR's generated always include internal hostname in SAN field, so the CA is rejecting them. I do not want to change the server hostnames to FQDN, but I would like the CSR to only include FQDN.

My phones are not using DNS for tftp and DNS is not configured on my CUCM cluster... nor is domain-name.  I have tried this via cli with 'set web-security', as well as via GUI (which actually allows the setting of the CN, but always includes the internal name in the SAN fields, even when the SAN field is left blank.

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Jaime Valencia
Cisco Employee
Cisco Employee

I'll assume this is a multi-SAN cert you're trying to get

If your CUCM server is defined just as hostname under system -> servers, and you do not have DNS and a domain configured, then you'll only get the hostname.

If you have the hostname and you configure your DNS and domain name, the CSR will use the FQDN from hostname + domain

You'd need to:

A) Add DNS and domain to your config

B) Change to FQDN under system -> server

C) Get the certificates per server, you can adjust the CN when it's going to be issued to just one server.

For multi-san also notice the CN will be added -ms at the end, and that will cause problems with the public CAs

HTH

java

if this helps, please rate

View solution in original post

8 Replies 8

Jaime Valencia
Cisco Employee
Cisco Employee

I'll assume this is a multi-SAN cert you're trying to get

If your CUCM server is defined just as hostname under system -> servers, and you do not have DNS and a domain configured, then you'll only get the hostname.

If you have the hostname and you configure your DNS and domain name, the CSR will use the FQDN from hostname + domain

You'd need to:

A) Add DNS and domain to your config

B) Change to FQDN under system -> server

C) Get the certificates per server, you can adjust the CN when it's going to be issued to just one server.

For multi-san also notice the CN will be added -ms at the end, and that will cause problems with the public CAs

HTH

java

if this helps, please rate

Thank you Jaime for the response.  A couple of follow up questions:

Is it ok to do this for only publisher? or does DNS need to be configured clusterwide?

I see that adding domain requires a reboot, and the warning message recommends rebooting all servers when done, but it doesn't state whether the *must* be done clusterwide.

I was not planning on making a multi-SAN cert, and it sounds like that is not an option if I need a CA signed cert.  Is it possible to only make a single-server tomcat cert for the pub, and leave the sub certs alone?

If this is going to be just for the tomcat and avoid getting the warning when logging, it would be as easy to use an internal CA and keep the hostname.

HTH

java

if this helps, please rate

Yes, this is simply to clear the ssl warning on the admin web gui.  Unfortunately, an internal CA is not available.  Renaming all the nodes to FQDN and enabling dns seems like an amount of effort that I'd like to avoid for such a minor issue.

If there's no other way to generate a clean CSR, then I'll see what they want to do.  Thank you for the info!

Then the option would be to generate the CSR per server, if you have a domain and a windows server, spinning up the CA role takes 10 minutes, and it's free.

HTH

java

if this helps, please rate

There is a business requirement that the cert be signed by public CA.  An internal CA would require that the cert chain be trusted by every client browser, unless I'm missing something. 

No, that's correct, but I'm assuming you're doing this for the internal clients, right??

If so, you can just distribute the root cert with a group policy

HTH

java

if this helps, please rate

Yeah, that would certainly seem easier to me as well.  At this point, I think I'll push for that.   Converting all nodes to FQDN node names seems like overkill.  I was just hoping that there was an easy way to dictate the CN and SAN in the CSR.