Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3096
Views
40
Helpful
8
Replies

Installing CA Signed Tomcat Certificate on CUCM

Go to solution
aniket0422
Level 1
Level 1

‎09-04-2018 04:44 AM - edited ‎03-17-2019 01:25 PM

 

Hi Team,

 

I have installed CA signed Tomcat Certificate by following Jaime Sir's Video on CUCM.

 

When I try to log into CUCM using FQDN i can see "Secure Connection" mark.

 

But when i try to log into same CUCM using IP address or only Hostname i still get " Your connection is not secure". 

 

Am i missing something. Are there any Pre-requisites with respect to domain and DNS ?
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Gregory Brunn
Spotlight
Spotlight
In response to aniket0422

‎09-04-2018 05:34 PM - edited ‎09-05-2018 05:26 AM

No public ca will touch that CSR for sure.
If you local one doesn’t have a problem with it you can always try if should work however why bother with it. Just make yourself some book marks. However those other names would need to be in your SANs field not CN

View solution in original post

Go to solution
pieterh
VIP
VIP
In response to aniket0422

‎09-05-2018 12:09 AM

no if requesting a certificate from a public CA,  the CN can only contain ONE name,  either domain name or FQDN. the other names must be specified in the SAN 

depends on the CA if only names within the same domain as the CN are accepted.

View solution in original post

Go to solution
ali.yusuf
Level 1
Level 1
In response to aniket0422

‎09-05-2018 07:44 AM

Hi Aniket

the common name (CN) is the DNS host name of the CUCM, other addresses go in the SAN (Subject Alternate Names), this guide will better explain what you need from a CUCM perspective >> https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#commonsubject

feel free to go through the whole TechNote

Hope this helps - please rate if helpful

View solution in original post

8 Replies 8

Go to solution
pieterh
VIP
VIP

‎09-04-2018 05:23 AM

look at your certificate!
there must be a match between names in the certificate and the url that you use to access the CUCM
so either you need multiple certificates (hostname, FQDN, IP-address) or you need a single (FQDN) certificate that specifies IP address and shortname as SAN (subject alternative name / alias)

Go to solution
ali.yusuf
Level 1
Level 1

‎09-04-2018 05:38 AM

HI Aniket -

unfortunately ive not seen this Video, but Generally speaking, certificates are created for the hostname/FQDN of the server in this case the CUCM, as a result if you browse to the IP address it does not recognise it and will show you an error, you can test this by visiting https://www.google.com and thereafter https://64.233.162.105 you will see a difference. in theory you can add IP address in the SAN but this is not normal practice

Hope this helps - please rate if helpful

Go to solution
R0g22
Cisco Employee
Cisco Employee

‎09-04-2018 09:55 AM

If your certificate has an FQDN anything other than that i.e. just a hostname or an IP address will cause the untrusted connection since your client i.e the PC or rather I should say the browser won't trust the certificate. What you see is expected.

Go to solution
aniket0422
Level 1
Level 1
In response to R0g22

‎09-04-2018 03:32 PM

 

What if I put Hostname, IP Address and FQDN while generating CSR from CUCM.

 

Capture.JPG

 

 

0 Helpful

Go to solution
Gregory Brunn
Spotlight
Spotlight
In response to aniket0422

‎09-04-2018 05:34 PM - edited ‎09-05-2018 05:26 AM

No public ca will touch that CSR for sure.
If you local one doesn’t have a problem with it you can always try if should work however why bother with it. Just make yourself some book marks. However those other names would need to be in your SANs field not CN

Go to solution
pieterh
VIP
VIP
In response to aniket0422

‎09-05-2018 12:09 AM

no if requesting a certificate from a public CA,  the CN can only contain ONE name,  either domain name or FQDN. the other names must be specified in the SAN 

depends on the CA if only names within the same domain as the CN are accepted.

Go to solution
ali.yusuf
Level 1
Level 1
In response to aniket0422

‎09-05-2018 07:44 AM

Hi Aniket

the common name (CN) is the DNS host name of the CUCM, other addresses go in the SAN (Subject Alternate Names), this guide will better explain what you need from a CUCM perspective >> https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#commonsubject

feel free to go through the whole TechNote

Hope this helps - please rate if helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents