cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
0
Helpful
3
Replies

CUCM 14 LDAPS certicate issue

ssparkes
Level 1
Level 1

Trying to get Secure LDAP (TCP 636) working between customer on-prem AD and CUCM14.  Receiving a certificate unknown error when configuring the CUCM security association.  I have extracted the Root CA and Intermediate certs from the wildcard server cert that the customer has provided (*.company.org) and dropped them in to the tomcat-trust and callmanager-trust lists.  Reset Tomcat ,CTI services, checked DirSync, etc.  Does CUCM support wildcard certificates as part of the TLS handshake?  There's an old post on here from 2009 that suggests they are not.

1 Accepted Solution

Accepted Solutions

Jonathan Schulenberg
Hall of Fame
Hall of Fame

No Cisco Collab product support wildcard certs as the server identity certificate; however, that should not be an issue for outbound connections where CUCM is the TLS client attempting to validate a wildcard cert from an external system.

Did you restart DirSync itself? You mention restarting Tomcat but then say “checked DirSync” instead of restarted.

If yes, grab a PCAP from the publisher and see what the TLS handshake looks like. Is the cert chain offered by the LDAP server what you uploaded to Tomcat-trust? Are the CRL and/or OCSP URLs in the certs valid and working, ie HTTP:// vs. LDAP:// (a common mistake when deploying AD CS)?

View solution in original post

3 Replies 3

Jonathan Schulenberg
Hall of Fame
Hall of Fame

No Cisco Collab product support wildcard certs as the server identity certificate; however, that should not be an issue for outbound connections where CUCM is the TLS client attempting to validate a wildcard cert from an external system.

Did you restart DirSync itself? You mention restarting Tomcat but then say “checked DirSync” instead of restarted.

If yes, grab a PCAP from the publisher and see what the TLS handshake looks like. Is the cert chain offered by the LDAP server what you uploaded to Tomcat-trust? Are the CRL and/or OCSP URLs in the certs valid and working, ie HTTP:// vs. LDAP:// (a common mistake when deploying AD CS)?

Thanks Jonathan,

 

Yeah, the client had given me the wrong root/intermediate certs.  I noticed this after taking a pcap and looking at the cert in the tls handshake.  I think in future I’m just going to grab the cert info from a pcap.  It’s much quicker (and more accurate).  Thanks again!

MrButton
Level 1
Level 1

See if this helps.

https://www.uccollabing.com/cucm-secure-ldap/ 

rate if helpful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: