02-01-2023 07:37 AM
Trying to get Secure LDAP (TCP 636) working between customer on-prem AD and CUCM14. Receiving a certificate unknown error when configuring the CUCM security association. I have extracted the Root CA and Intermediate certs from the wildcard server cert that the customer has provided (*.company.org) and dropped them in to the tomcat-trust and callmanager-trust lists. Reset Tomcat ,CTI services, checked DirSync, etc. Does CUCM support wildcard certificates as part of the TLS handshake? There's an old post on here from 2009 that suggests they are not.
Solved! Go to Solution.
02-01-2023 11:25 AM
No Cisco Collab product support wildcard certs as the server identity certificate; however, that should not be an issue for outbound connections where CUCM is the TLS client attempting to validate a wildcard cert from an external system.
Did you restart DirSync itself? You mention restarting Tomcat but then say “checked DirSync” instead of restarted.
If yes, grab a PCAP from the publisher and see what the TLS handshake looks like. Is the cert chain offered by the LDAP server what you uploaded to Tomcat-trust? Are the CRL and/or OCSP URLs in the certs valid and working, ie HTTP:// vs. LDAP:// (a common mistake when deploying AD CS)?
02-01-2023 11:25 AM
No Cisco Collab product support wildcard certs as the server identity certificate; however, that should not be an issue for outbound connections where CUCM is the TLS client attempting to validate a wildcard cert from an external system.
Did you restart DirSync itself? You mention restarting Tomcat but then say “checked DirSync” instead of restarted.
If yes, grab a PCAP from the publisher and see what the TLS handshake looks like. Is the cert chain offered by the LDAP server what you uploaded to Tomcat-trust? Are the CRL and/or OCSP URLs in the certs valid and working, ie HTTP:// vs. LDAP:// (a common mistake when deploying AD CS)?
02-02-2023 03:45 AM
Thanks Jonathan,
Yeah, the client had given me the wrong root/intermediate certs. I noticed this after taking a pcap and looking at the cert in the tls handshake. I think in future I’m just going to grab the cert info from a pcap. It’s much quicker (and more accurate). Thanks again!
02-01-2023 12:30 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide