cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1178
Views
0
Helpful
4
Replies

CUCM 10.5 - CSR/SAN issue

Scott Jones
Level 1
Level 1

Just upgraded this past weekend to CUCM 10.5.  Today, I'm trying to generate updated certs for the servers per our security policy.  What i'm finding, though, is that the old way of adding additional SANs doesn't seem to work anymore.  We use Active Directory's CA, and usually I would just populate the SANs in the additional attributes field.  Doing that now, though, prevents the cert from being accepted at all.  Using the multi-server option, it will only take SANs that have the FQDN, which is great, but we also use just the hostname to access servers as well...

Has anyone come across a good way to address this kind of issue?

4 Replies 4

Chris Deren
Hall of Fame
Hall of Fame

You need to include the SAN with your CSR, to do that you need to add it via "set web-security" CLI command.

Also, UC 10.X appliacnces support multi-server SAN cers, but do not allow IP addresses as SANs.  

 

Thanks Chris.  I've tried that, and it's partially working.  Where I'm stuck is having just hostnames as well as FQDNs.  The TAC engineer I'm working with mentioned attaching a list of separate hostnames to the CSR request (doing a multi-server CSR).  I'm wondering, though, do I just attach the .txt file and generate the CSR or do I need to do anything else to make sure that it populates the hostnames in the text file as well as the automatically discovered ones?

can you not add multiple SANs by separating them via comma when issuing "set web-security"?

Doesn't look like it, unless I'm messing up not spacing after the commas, etc.  The little bit of documentation I've been able to find indicates you can only add a single one via CLI...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: