cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
712
Views
0
Helpful
2
Replies

CUCM Certificates

I have a couple questions regarding certificates and CUCM.  First of all it looks like there are no wildcard certificates allowed in CUCM.  Even in 10.5 where they say the issue is resolved there is not wildcard support just the addition of mutliserver certificates.  Just want to verify that is correct.

Second we want to get rid of the certificate warning our end users get when accessing the user pages.  Internally we are using a .local domain for our servers and .local is no longer going to be supported by CA's what is the way around this for CUCM?  Is there a way that we can put a second FQDN in DNS and point it to the server and have that FQDN in the certificate?  Any guidance would be appreciated as I am not a certificate guru.

1 Accepted Solution

Accepted Solutions

In regards to the wildcard, you're correct.  There was a feature request for wildcard that was supposedly fulfilled, I think someone misunderstood what a wildcard cert actually is.  You can do the single cluster cert for all, but it can't be a wildcard.

As for the split DNS, what we're doing is changing the domain on the CMs to the valid domain name (abc.com), then regenerating the certs.  

 

You can only add an alternate host name, but the certificate will prepend the domain name configured on the CUCM.  "set web-security" is the CLI command to set an alternate host name, though your best bet is to change the server to .com.

Be careful, if you do change your domain name and regen the cert depending on your environment it could impact communication.  You can look through this doc to get an idea of the process:

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/ip_address_hostname/9_1_1/IM_P_IPChange/domain.html 

 

View solution in original post

2 Replies 2

In regards to the wildcard, you're correct.  There was a feature request for wildcard that was supposedly fulfilled, I think someone misunderstood what a wildcard cert actually is.  You can do the single cluster cert for all, but it can't be a wildcard.

As for the split DNS, what we're doing is changing the domain on the CMs to the valid domain name (abc.com), then regenerating the certs.  

 

You can only add an alternate host name, but the certificate will prepend the domain name configured on the CUCM.  "set web-security" is the CLI command to set an alternate host name, though your best bet is to change the server to .com.

Be careful, if you do change your domain name and regen the cert depending on your environment it could impact communication.  You can look through this doc to get an idea of the process:

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/ip_address_hostname/9_1_1/IM_P_IPChange/domain.html 

 

Eventually you will end up changing your internal serves to have a valid FQDN from a CA perspective. Sometime you will eventually need it, maybe it will be XMPP federation, or Collaboration edge. The whole internal/external aka split-dns I find tends to increase complexity and can be confusing.

 

On the discussion of certificates, I recommend that the following Subject Alternate Names be defined:

DNS:<IP Address>
DNS:<Hostname>
DNS:<FQDN>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: