cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4896
Views
0
Helpful
8
Replies

CUCM Certificates and Chrome

Michael Gerrard
Level 1
Level 1

Hey all, hope you're well!

 

Has anyone had any experience with getting signed certificates with CUCM working well with newest versions of Chrome?

 

We have signed CUCM, CUIC, Finesse and our AW-HDS server certificates with an internal CA. We are not using MSAN/Wildcard certs, and using Windows 2012 CA to generate the certs.

 

- Working fine in IE

- Working ok in Firefox, as long as you toggle the flag to allow Firefox to check the Windows certificate repository for the CA cert to check against.

 

In Chrome however, we get:

 

"Your connection is not private
Attackers might be trying to steal your information from dc2-uc-cucm-sub.company.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
 
Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy
This server could not prove that it is dc2-uc-cucm-sub.company.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection."

 

It seems to be down to the fact that Chrome does not use the Common Name field but rather the DNS or Subject Alternative Name field of the cert, if that attribute is included in the cert. I tried entering the hostname/FQDN in the "Parent Domain" field on the CUCM CSR generation page rather than leaving it blank, but still no good.

 

Any ideas?

 

Thanks!

 

Michael.

1 Accepted Solution

Accepted Solutions

It looks like we have solved this now. The web security through CLI has to be set so that the SAN is populated in the CSR, like so:

 

set web security IT companyname “Site Name” London GB DC2-UC-CUCM-SUB.company.com

 

The "Site name" is in quotes because each space is regarded as a different field (orgunit, orgname etc)

 

Tomcat has to be restarted to take effect. Note that UCCX would need to have a license rehost due to this change.

 

Once completed, generate CSR using the GUI and the SAN should now be part of the CSR. Then the error in Chrome will go away.

 

Michael.

View solution in original post

8 Replies 8

Dennis Mink
VIP Alumni
VIP Alumni

that cert for dc2-uc-cucm-sub.company.com, is that a cert signed by YOUR CA or a cert signed by an external CA? If so which one?

 

I know chrome does not like most publicly signed certs by any organisation that is affiliate or owned by symantec.

 

cheers

Please remember to rate useful posts, by clicking on the stars below.

Signed by internal CA. I have changed the name of the company :)

It looks like we have solved this now. The web security through CLI has to be set so that the SAN is populated in the CSR, like so:

 

set web security IT companyname “Site Name” London GB DC2-UC-CUCM-SUB.company.com

 

The "Site name" is in quotes because each space is regarded as a different field (orgunit, orgname etc)

 

Tomcat has to be restarted to take effect. Note that UCCX would need to have a license rehost due to this change.

 

Once completed, generate CSR using the GUI and the SAN should now be part of the CSR. Then the error in Chrome will go away.

 

Michael.

For Finesse, doc states SAN is not supported. I left ours blank when generating the CSRs and the certs we got back work fine with IE but Chrome is complaining about no SAN. How did you get around this, specifically for FInesse and Chrome? TIA

Hi SAN J,

 

As my previous post is what seems to work well. Ensure that you have performed this in CLI first and then restart Tomcat (Or better still, reboot the hosts). Then when generating the CSRs you simply need to leave the parent domain blank and do the CSR generation. You should find that once the cert is signed, it has all the SANs in it from the CLI command.

what is the syntax used on this command if your generating a Multi-Server (SAN) CSR?

set web security IT companyname.......

You can technically use the same CLI command such as set web-security IT CompanyName London London SAN-name1 SAN-name2 but we found recently that if you want to do more than two SAN then you have to use commas, so it's set web-security IT CompanyName London London SAN-name1,SAN-name2,SAN-name3 etc.

However given you're doing MSAN, you can actually provide the SANs in the GUI. You can't do that in non-MSAN and have to use the CLI command above before generation.

Sorry I neglected to say that it seems to depend on which type of box you're doing this on, you might need to provide the country in there. So set web-security IT CompanyName London London GB SAN-name1,SAN-name2,SAN-name3

If we're talking about 12.6.x boxes by the way, such as Finesse or CUIC we didnt have much luck with MSAN and went with non-MSAN anyway...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: