Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
6
Replies

CUCM 8.6.2 Generating CSRs With Incorrect Country Code

Gary Parker
Level 1
Level 1

‎01-28-2015 07:59 AM - edited ‎03-17-2019 01:45 AM

Hi folks, I'm running CUCM 8.6.2.25900-8 on a single cluster (1x pub, 4x sub). My CA certs for the tomcat service are due to expire shortly so I've generated CSRs for all the servers and submitted them to our provider. All but one of the requests went through with no issues but one failed because the CSR specified a country code of 'US'. We are in the UK and the four other servers all generated CSRs specifying C=GB.

Examining the current tomcat cert or issuing "show web-security" on the command-line of the server who's CSR failed also show 'C=GB'

Looking at the 'set web-security' command it appears that I cannot change the country code.

  • Why is the server generating CSRs with 'C=US'?
  • How do I change this behaviour such that they are generated with 'C=GB' instead?
Labels:
0 Helpful
6 Replies 6

Jaime Valencia
Cisco Employee
Cisco Employee

‎01-28-2015 10:16 AM

Probably someone messed up during install, or changed it at some point.

The documentation says otherwise, set web-security DOES have the ability to change the country

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cli_ref/8_6_1/cli_ref_861.html#pgfId-263672

HTH

java

if this helps, please rate
0 Helpful

Gary Parker
Level 1
Level 1
In response to Jaime Valencia

‎01-28-2015 01:01 PM

Thanks Jaime, but the documentation is incorrect:

https://tools.cisco.com/bugsearch/bug/CSCue76945/?referring_site=bugqvinvisibleredir

Guess I'll be on the phone to TAC shortly :-(

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Gary Parker

‎01-28-2015 01:35 PM

Interesting, thanks for the info, wasn't aware of that bug.

Aside from trying to do something with root access, they might have you reinstall the server.

10.5(2) CLI shows the same syntax, not sure if they really fixed that, or if the error has made it that far.

HTH

java

if this helps, please rate
0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Gary Parker

‎01-28-2015 01:45 PM

Surprisingly, it has made it all the way to 10.5(x) with the same info and the same error...

I did found a method to change it via root access, and you might not require root access, but I can't tell for sure as I would need to look at exactly what the contents of the file that TAC changes, but apparently it's just the platformConfig.xml that they need to change and reboot.

If that's the case, using the utils import config using pretty much all the same info, except the country, would end up with the same outcome.

Again, not 100% sure but theory says that should do the trick, you can run that thru TAC if you open the case and see what they think about it.

HTH

java

if this helps, please rate
0 Helpful

Georgios Sotiropoulos (OLD)
Level 1
Level 1
In response to Jaime Valencia

‎07-21-2016 05:03 AM

Hello Jaime,

Did you ever try on lab the method you describe above (change via root access)?

Thanks,

G

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Georgios Sotiropoulos (OLD)

‎07-21-2016 06:37 AM

No, I did no try the root access method

HTH

java

if this helps, please rate
0 Helpful
Customers Also Viewed These Support Documents