cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3931
Views
10
Helpful
12
Replies

Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA

Hi Guys,

Wondering if Any one has done this or could suggest the needful,

We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.

Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.

 

Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;

 altNames: 2 names
          1) UCS-CUCM-UB.domain (dNSName)
          2) 10.x.x.x (dNSName)

But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)

Is there anything we missed here to get the added SAN being populated in the new CSR ?

 

Regards

M

 

12 Replies 12

Gordon Ross
Level 9
Level 9

When you go to create the CSR you can add SANs there.

 

(I Believe the recommendation nowadays is that the CUCM name should be the proper DNS name rather than the IP address. Making that change is not to be trivially done, though)

 

GTG

Please rate all helpful posts.

 

Hi Gordon,

 

Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.

 

While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?

Regards

 

 

I managed to find the workaround.

In coordination with our security engineer, Before Submitting to CA, we could add the SAN manually in the CSR and that should suffice the need.

Hi,

 

I need this too, how your partner manage to add the IP address into the CSR.

 

Thanks in advance.

Same problem. I think our internal CA will allow us to inject a replacement for the SAN inside the CSR.

 

The reason I mention this is that, CUCM stripped out the IP addresses within the SAN list when I attempted to include IP addresses:

set web-security "xxxx" "xxxx" City State CC hostname.local,10.1.1.1,hostname2.local,10.1.1.2

I can't see how migrating to FQDNs in the processnode table/System > Server is acceptable to everyone. If DNS goes down, we still want to make phone calls!

I will test injecting IP addresses via the internal CA and report back.

Thank you for your response, i have a Microsoft PKI, do you know how can i add this field through the CA into the CSR,

 

Thanks in advanced.

I haven't used the Microsoft CA and I'm not a PKI guy so difficult to advise you I'm afraid. Having said that, there is a screenshot showing SAN being added on a Microsoft CA here: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html 

 

My colleague mentioned some success in getting IP addresses listed in the CSR SAN field using the "set web-security" command though, so I'm going to try this method again tomorrow.

Just to mention that I re-tried the 'set web-security' and it worked. A show via the CLI didn't reveal the IP Address SAN, but once the CSR was generated via OSAdmin everything appeared as expected.

Hope this helps

James

NggTgg316
Level 1
Level 1

Hi James,

As I am doing the same way as you to add the IP address in the San field with the command "set web-security" and sign it with an internal CA.
The new tomcat certificate has an IP added at the SAN, but it still shows as DNS Name and not IP Address. And the browser still gives the certificate error when I access the server using the IP address. It is still normal if using FQDN.
Is there anything to keep in mind when doing this? Would appreciate if you have any advice.

I'm informed that browser behaviour has changed over the years and although it was once appropriate to specfiy dnsName=<x.x.x.x>, these days RFC5280 is the recommended approach with iPAddress=<x.x.x.x>. I'm not sure how the Jabber client handles all this, but at least for us dnsName=10.1.1.1 is working fine as a SAN for us.

I should also mention that it looks like certificates & dns mostly takes place at Jabber discovery and startup. Since we use an SRV query to locate the UDS servers, a working DNS system is essential for Jabber sign in. I don't think certificates come into play when placing or receiving a phone call.

 

Hi James,

How can the certificate list iPAddress=<x.x.x.x> instead of dnsName=<x.x.x.x>, that's my wish. But when I generate CSR with the command "set web-security", it shows only dnsName=<x.x.x.x>, how can we modify it?

In CM v10.5 you cannot specify an IP address SAN and expect the field to be designated iPAddress - this wasn't the industry norm when v10.5 was written. I don't know about something newer like v14 - it would be a good question for TAC or someone with access to a v14 cluster.

A possible workaround would be to attach a SAN field alongside the CSR and ask your CA to sign it. This is apparently not good practice for the integrity of the CSR itself (more information here).