Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
5
Helpful
5
Replies

Entrust Tomcat Certificate

rgates
Level 1
Level 1

‎11-01-2012 07:48 AM - edited ‎03-16-2019 01:58 PM

I have a client where they have an Entrust CA and have it set up so that the only way they can create an Entrust cert for CUCM, is to 1.) from Entrust, generate a reference number for the certificate to be created, and 2.) assign that reference number to the common name (CN) used by CUCM before creating the CSR. (Their Entrust CA requires the CUCM CN to be the Entrust reference number although the final certificate that gets created will be the final hostname.fullyqualifiedname.com). 3.) then the CSR (created by CUCM) can be used by the CA to generate the final CUCM tomcat certificate (recall, the final cert that is created has the CN as something like CUCM.RCMP.CA). 4.) the root CA cert can be uploaded to the CUCM tomcat-trust, followed by the tomcat cert for the CUCM server itself.

Is it possible to manually set the CN name prior to generating the CSR, or does the CUCM automatically (and only) use the Hostname as the CN for all CSR's?

Sent from Cisco Technical Support iPad App

1 person had this problem
Labels:
0 Helpful
5 Replies 5

mkchandak
Level 1
Level 1

‎11-01-2012 09:20 AM

CallManager uses the hostname.domainname as the CN when you generate CSR.

0 Helpful

Marcel Bissonnette
Level 1
Level 1

‎03-12-2018 10:07 AM

@rgates, did anyone ever get back to you with a meaningful answer?  I am having the same issue now with CUCM12.x

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Marcel Bissonnette

‎03-12-2018 10:44 AM

If you click on Generate CSR, you'll see the options that you have available.

Clicking on the option, or generating the CSR do not affect anything.

HTH

java

if this helps, please rate
0 Helpful

Marcel Bissonnette
Level 1
Level 1
In response to Jaime Valencia

‎03-12-2018 10:52 AM

Thanks.  So to confirm, 

(CUCM 12.x)

1- Must the Tomcat (multisan) CSR CN, match the generated cert CN (assuming the scenario in the initial tread?

 

2- is there a way to bind a CA-generated CSR to the private key in order to accept a new cert?

 

Thanks.

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Marcel Bissonnette

‎03-12-2018 10:59 AM

1. That is not an option I've seen before, you'd need to POC that in order to get the answer. I don't think it would work, you'd need to leave the CN and SAN as they were generated in the CSR.

2. No, CUCM will only accept a certificate that matches they key the CSR has, you cannot access that key, nor you can upload your own certificate/key. You can have whoever you want sign that CSR.

HTH

java

if this helps, please rate
Customers Also Viewed These Support Documents