cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
5
Helpful
5
Replies

Entrust Tomcat Certificate

rgates
Level 1
Level 1

I have a client where they have an Entrust CA and have it set up so that the only way they can create an Entrust cert for CUCM, is to 1.) from Entrust, generate a reference number for the certificate to be created, and 2.) assign that reference number to the common name (CN) used by CUCM before creating the CSR. (Their Entrust CA requires the CUCM CN to be the Entrust reference number although the final certificate that gets created will be the final hostname.fullyqualifiedname.com). 3.) then the CSR (created by CUCM) can be used by the CA to generate the final CUCM tomcat certificate (recall, the final cert that is created has the CN as something like CUCM.RCMP.CA). 4.) the root CA cert can be uploaded to the CUCM tomcat-trust, followed by the tomcat cert for the CUCM server itself.

Is it possible to manually set the CN name prior to generating the CSR, or does the CUCM automatically (and only) use the Hostname as the CN for all CSR's?

Sent from Cisco Technical Support iPad App

5 Replies 5

mkchandak
Level 1
Level 1

CallManager uses the hostname.domainname as the CN when you generate CSR.

@rgates, did anyone ever get back to you with a meaningful answer?  I am having the same issue now with CUCM12.x

If you click on Generate CSR, you'll see the options that you have available.

Clicking on the option, or generating the CSR do not affect anything.

HTH

java

if this helps, please rate

Thanks.  So to confirm, 

(CUCM 12.x)

1- Must the Tomcat (multisan) CSR CN, match the generated cert CN (assuming the scenario in the initial tread?

 

2- is there a way to bind a CA-generated CSR to the private key in order to accept a new cert?

 

Thanks.

1. That is not an option I've seen before, you'd need to POC that in order to get the answer. I don't think it would work, you'd need to leave the CN and SAN as they were generated in the CSR.

2. No, CUCM will only accept a certificate that matches they key the CSR has, you cannot access that key, nor you can upload your own certificate/key. You can have whoever you want sign that CSR.

HTH

java

if this helps, please rate