Solved: CUCM 11.5 - Tomcat certificates not secure within organization

Dan Limbacher · ‎06-02-2017

Hello,

We have two CUCM nodes and two UCCX nodes and are trying to update certificates so our users don't have to deal with adding certificate exceptions in their browser. Currently, all four nodes are using self-signed certificates.

I followed Cisco's documentation to generate a CSR, have the CSR signed by our internal CA server, and upload the root CA certificate/signed certificates to Certificate Management in CUCM OS Administration as tomcat-trust and tomcat respectively. After applying the certificates, I restarted the tomcat service on both nodes and verified via browser that the new CA signed certificates are being handed out.

The issue I'm having is that the browser is still forcing users to add certificate exceptions when accessing the website even though they're signed by our internal CA. All of our PCs are members of a domain and all have the CA root certificate in their Root Trust certificate store.

One thing I noticed is that IE and Edge seem to trust the certificates and no longer require the user to add exceptions. Do I have something misonfigured or does IE/Edge only work because of some Microsoft magic? Is there any way to have Chrome and/or Firefox act the same way without spending money on an EV Certificate for a site that's only used by internal users? How do you deal with tomcat certificates for web access to Call Manager/UCCX/Finesse within your organization?

Thanks!

Dan

Jorie van Santvoort · ‎06-02-2017

Hi Dan,

I was always under the impression that for Firefox the windows certificate store does not work. For chrome I'm not really sure but you can check the settings->advanced->Manage certificates if your root CA is somewhere in the trusted authorities overview. Otherwise you can import your CA certificate and test if that solves your issue.

For Firefox you need to go to settings->advanced->certificates and import your Root certificate so you can check if everything is working in the right order.

If it is, all you have to do now is find a way to distribute this. Maybe you can look into something like this https://wiki.mozilla.org/CA:AddRootToFirefox

If I can give you some advice, move to a public Certificate in the future and stop using local domains. It only costs a couple Dollars a year per SSL certificate and you don't have to deal with this kind of stuff. Once you will use things like jabber MRA/expressway or people will bring their own devices into your company. You will get yourself in trouble using local domain certificates.

Good luck!

View solution in original post

Jorie van Santvoort · ‎06-02-2017

Hi Dan,

I was always under the impression that for Firefox the windows certificate store does not work. For chrome I'm not really sure but you can check the settings->advanced->Manage certificates if your root CA is somewhere in the trusted authorities overview. Otherwise you can import your CA certificate and test if that solves your issue.

For Firefox you need to go to settings->advanced->certificates and import your Root certificate so you can check if everything is working in the right order.

If it is, all you have to do now is find a way to distribute this. Maybe you can look into something like this https://wiki.mozilla.org/CA:AddRootToFirefox

If I can give you some advice, move to a public Certificate in the future and stop using local domains. It only costs a couple Dollars a year per SSL certificate and you don't have to deal with this kind of stuff. Once you will use things like jabber MRA/expressway or people will bring their own devices into your company. You will get yourself in trouble using local domain certificates.

Good luck!

Dan Limbacher · ‎06-02-2017

I wasn't aware of the Chrome and Firefox certificate settings, thank you for that.

As far as SSL certificates go, what's your definition of a couple dollars? The ones I've found are $250+ per year. That's a couple dollars in the grand scheme of things, but I wasn't sure if there was somewhere cheaper to get them from.

Thanks again,

Dan

Jorie van Santvoort · ‎06-06-2017

Hi Dan,

Don't really want to advertise some SSL authority, but if you would google on "cheap SSL" and look for a reseller. you should be able to find SSL certificates for 5-10$ a piece. Most of the time you can trial the certificates for 2 weeks to see if they work for you.

Hope this helps.

Dan Limbacher · ‎06-06-2017

Understandable. Thanks again for the tip.

I actually ended up contacting Cisco directly about this. They seem to think that the CA-signed certs should be recognized as secure by the browser. Their current theory is that they're being rejected due to being signed with a SHA-1 hash instead of SHA-256.

I'll mark your first response as the answer since it will definitely solve my issue even though it may not be the solution I end up using going forward.

Dan Limbacher · ‎06-02-2017

Also for the record, importing my CA certificate into Chrome/Firefox worked. I agree that it isn't a solution that's able to scale very well, though.

Jaime Valencia · ‎06-02-2017

From personal experience:

For Chrome, assuming you're using the CN or a SAN entry for the certificate, you should not require anything else, there should be no warning

Firefox, that will still give me the warning and force me to add the exception the first time I login, even if I have my root cert installed, and I'm using the CN from my certificate.

HTH

java

if this helps, please rate