cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
807
Views
5
Helpful
2
Replies

emailAddress attribute missing from CUCM CSR

tzunt
Level 1
Level 1

I'm familiar with the process to replace self-signed certificates with a trusted CA certificate on Cisco Voice OS servers.  Just when I thought I had it all figured out, I generated a CSR from a CUCM publisher (tomcat, multiserver (SAN) selected to include the name of the subscriber).  I provided the CSR to my CA which I had done before successfully.  However, my CA informed me he must reject my CSR because it does not include an emailAddress attribute, which is now deem required. 

 

I understand why the CA now requires that attribute; they want an address to notify before the cert expires.  However, that emailAddress attribute was optional and likely not populated when the Cisco Voice OS server was installed.  Modification of hostname.conf with vi as I would do for most Linux servers is not easy to do from CUCM, nor is reinstalling the OS simply to add a emailAddress attribute.  Is anyone aware of a good alternative to include this attribute?  As you can see, the attribute now required by my CA is not necessarily one currently required for Cisco UC servers:

 

Current Cisco UC servers require these attributes in a CSR:

orgunit, orgname, locality, state, country, alternatehostname

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200123-How-to-Verify-the-CSR-and-Certificate-Mi.html

 

Perhaps emailAddress should be required in future versions of CUCM setup?

 

I saw in the admin guide it is possible to Configure Certificate Monitor Notifications in CUCM.  (My CA will be doing the same from their host system.)  I may experiment with that on a lab to see whether or not it may add the emailAddress attribute post-installation.

 

Thanks

1 Accepted Solution

Accepted Solutions

Jaime Valencia
Cisco Employee
Cisco Employee

If you look at the certificate info that is asked during install, that's not something you can input, see table 2

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/12_5_1/cucm_b_install-guide-cucm-imp-1251/cucm_b_install-guide-cucm-imp-1251_chapter_00.html

 

The parameters you can adjust after the system is installed, are the same ones from the install.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cli_ref/12_5_1SU2/cucm_b_command-line-interface-reference-guide-1251Su2/cucm_b_command-line-interface-reference-guide-1251Su2_chapter_0110.html#CUCM_CL_S4787D02_00

 

The self-signed certs do not contain that information, and I don't believe there's a way to get a CSR from CUCM (or any other product with the same blueprint) to get that attribute.

 

AFAIK that's not a mandatory attribute, so that would really be an internal requirement from your CA, not a mandatory requirement from the x.509 specs.

 

You can reach out to your SE to submit a PER along with the business case for it, but it will be in a future release if it's accepted.

HTH

java

if this helps, please rate

View solution in original post

2 Replies 2

Jaime Valencia
Cisco Employee
Cisco Employee

If you look at the certificate info that is asked during install, that's not something you can input, see table 2

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/12_5_1/cucm_b_install-guide-cucm-imp-1251/cucm_b_install-guide-cucm-imp-1251_chapter_00.html

 

The parameters you can adjust after the system is installed, are the same ones from the install.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cli_ref/12_5_1SU2/cucm_b_command-line-interface-reference-guide-1251Su2/cucm_b_command-line-interface-reference-guide-1251Su2_chapter_0110.html#CUCM_CL_S4787D02_00

 

The self-signed certs do not contain that information, and I don't believe there's a way to get a CSR from CUCM (or any other product with the same blueprint) to get that attribute.

 

AFAIK that's not a mandatory attribute, so that would really be an internal requirement from your CA, not a mandatory requirement from the x.509 specs.

 

You can reach out to your SE to submit a PER along with the business case for it, but it will be in a future release if it's accepted.

HTH

java

if this helps, please rate

Thank you Mr. Valencia for your rapid & courteous response to my question. We appreciate all you do!