Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2015 11:39 PM - edited 03-19-2019 09:18 AM
Hi Guys,
Wondering if Any one has done this or could suggest the needful,
We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.
Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.
Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;
altNames: 2 names
1) UCS-CUCM-UB.domain (dNSName)
2) 10.x.x.x (dNSName)
But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)
Is there anything we missed here to get the added SAN being populated in the new CSR ?
Regards
M
- Labels:
-
UC Applications
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2015 12:55 AM
When you go to create the CSR you can add SANs there.
(I Believe the recommendation nowadays is that the CUCM name should be the proper DNS name rather than the IP address. Making that change is not to be trivially done, though)
GTG
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2015 01:42 AM
Hi Gordon,
Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.
While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2015 11:27 PM
I managed to find the workaround.
In coordination with our security engineer, Before Submitting to CA, we could add the SAN manually in the CSR and that should suffice the need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2020 02:02 PM
Hi,
I need this too, how your partner manage to add the IP address into the CSR.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 08:21 AM - edited 07-29-2020 09:58 AM
Same problem. I think our internal CA will allow us to inject a replacement for the SAN inside the CSR.
The reason I mention this is that, CUCM stripped out the IP addresses within the SAN list when I attempted to include IP addresses:
set web-security "xxxx" "xxxx" City State CC hostname.local,10.1.1.1,hostname2.local,10.1.1.2
I can't see how migrating to FQDNs in the processnode table/System > Server is acceptable to everyone. If DNS goes down, we still want to make phone calls!
I will test injecting IP addresses via the internal CA and report back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 11:24 AM
Thank you for your response, i have a Microsoft PKI, do you know how can i add this field through the CA into the CSR,
Thanks in advanced.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 02:26 PM - edited 07-29-2020 02:30 PM
I haven't used the Microsoft CA and I'm not a PKI guy so difficult to advise you I'm afraid. Having said that, there is a screenshot showing SAN being added on a Microsoft CA here: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html
My colleague mentioned some success in getting IP addresses listed in the CSR SAN field using the "set web-security" command though, so I'm going to try this method again tomorrow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2020 10:46 AM
Hope this helps
James
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 02:24 AM
Hi James,
As I am doing the same way as you to add the IP address in the San field with the command "set web-security" and sign it with an internal CA.
The new tomcat certificate has an IP added at the SAN, but it still shows as DNS Name and not IP Address. And the browser still gives the certificate error when I access the server using the IP address. It is still normal if using FQDN.
Is there anything to keep in mind when doing this? Would appreciate if you have any advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 05:43 AM
I'm informed that browser behaviour has changed over the years and although it was once appropriate to specfiy dnsName=<x.x.x.x>, these days RFC5280 is the recommended approach with iPAddress=<x.x.x.x>. I'm not sure how the Jabber client handles all this, but at least for us dnsName=10.1.1.1 is working fine as a SAN for us.
I should also mention that it looks like certificates & dns mostly takes place at Jabber discovery and startup. Since we use an SRV query to locate the UDS servers, a working DNS system is essential for Jabber sign in. I don't think certificates come into play when placing or receiving a phone call.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 07:29 AM
Hi James,
How can the certificate list iPAddress=<x.x.x.x> instead of dnsName=<x.x.x.x>, that's my wish. But when I generate CSR with the command "set web-security", it shows only dnsName=<x.x.x.x>, how can we modify it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 10:43 AM
In CM v10.5 you cannot specify an IP address SAN and expect the field to be designated iPAddress - this wasn't the industry norm when v10.5 was written. I don't know about something newer like v14 - it would be a good question for TAC or someone with access to a v14 cluster.
A possible workaround would be to attach a SAN field alongside the CSR and ask your CA to sign it. This is apparently not good practice for the integrity of the CSR itself (more information here).
