Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party ...

Muhammad Taha Hussain · ‎03-09-2015

Hi Guys,

Wondering if Any one has done this or could suggest the needful,

We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.

Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.

Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;

altNames: 2 names
1) UCS-CUCM-UB.domain (dNSName)
2) 10.x.x.x (dNSName)

But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)

Is there anything we missed here to get the added SAN being populated in the new CSR ?

Regards

M

Gordon Ross · ‎03-10-2015

When you go to create the CSR you can add SANs there.

(I Believe the recommendation nowadays is that the CUCM name should be the proper DNS name rather than the IP address. Making that change is not to be trivially done, though)

GTG

Please rate all helpful posts.

Muhammad Taha Hussain · ‎03-10-2015

Hi Gordon,

Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.

While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?

Regards

Muhammad Taha Hussain · ‎03-11-2015

I managed to find the workaround.

In coordination with our security engineer, Before Submitting to CA, we could add the SAN manually in the CSR and that should suffice the need.

quevedo_lopez · ‎06-12-2020

Hi,

I need this too, how your partner manage to add the IP address into the CSR.

Thanks in advance.

j.a.m.e.s · ‎07-29-2020

Same problem. I think our internal CA will allow us to inject a replacement for the SAN inside the CSR.

The reason I mention this is that, CUCM stripped out the IP addresses within the SAN list when I attempted to include IP addresses:

set web-security "xxxx" "xxxx" City State CC hostname.local,10.1.1.1,hostname2.local,10.1.1.2

I can't see how migrating to FQDNs in the processnode table/System > Server is acceptable to everyone. If DNS goes down, we still want to make phone calls!

I will test injecting IP addresses via the internal CA and report back.

quevedo_lopez · ‎07-29-2020

Thank you for your response, i have a Microsoft PKI, do you know how can i add this field through the CA into the CSR,

Thanks in advanced.

j.a.m.e.s · ‎07-29-2020

I haven't used the Microsoft CA and I'm not a PKI guy so difficult to advise you I'm afraid. Having said that, there is a screenshot showing SAN being added on a Microsoft CA here: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html

My colleague mentioned some success in getting IP addresses listed in the CSR SAN field using the "set web-security" command though, so I'm going to try this method again tomorrow.

j.a.m.e.s · ‎08-10-2020

Just to mention that I re-tried the 'set web-security' and it worked. A show via the CLI didn't reveal the IP Address SAN, but once the CSR was generated via OSAdmin everything appeared as expected.

Hope this helps

James

NggTgg316 · ‎10-21-2022

Hi James,

As I am doing the same way as you to add the IP address in the San field with the command "set web-security" and sign it with an internal CA.
The new tomcat certificate has an IP added at the SAN, but it still shows as DNS Name and not IP Address. And the browser still gives the certificate error when I access the server using the IP address. It is still normal if using FQDN.
Is there anything to keep in mind when doing this? Would appreciate if you have any advice.

j.a.m.e.s · ‎10-21-2022

I'm informed that browser behaviour has changed over the years and although it was once appropriate to specfiy dnsName=<x.x.x.x>, these days RFC5280 is the recommended approach with iPAddress=<x.x.x.x>. I'm not sure how the Jabber client handles all this, but at least for us dnsName=10.1.1.1 is working fine as a SAN for us.

I should also mention that it looks like certificates & dns mostly takes place at Jabber discovery and startup. Since we use an SRV query to locate the UDS servers, a working DNS system is essential for Jabber sign in. I don't think certificates come into play when placing or receiving a phone call.

NggTgg316 · ‎10-21-2022

Hi James,

How can the certificate list iPAddress=<x.x.x.x> instead of dnsName=<x.x.x.x>, that's my wish. But when I generate CSR with the command "set web-security", it shows only dnsName=<x.x.x.x>, how can we modify it?

j.a.m.e.s · ‎10-21-2022

In CM v10.5 you cannot specify an IP address SAN and expect the field to be designated iPAddress - this wasn't the industry norm when v10.5 was written. I don't know about something newer like v14 - it would be a good question for TAC or someone with access to a v14 cluster.

A possible workaround would be to attach a SAN field alongside the CSR and ask your CA to sign it. This is apparently not good practice for the integrity of the CSR itself (more information here).

Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA