Solved: Jabber Certificate Sign Issue

Bar1s · ‎03-21-2016

I signed with local CA (win2012r2) for

Call Manager and IM&P tomcat cert (multi-server), IM&P cup, IM&P cup-xmpp certs on my lab.

But still Jabber for Windows client is keep asking to approve ccm cert. Client PC is on Domain so it has root cert.

I have one CCM 10.5.2.12901-1, one IM&P 10.5.2.22900-2.

I used Cisco Support Community's video as reference. (https://www.youtube.com/watch?v=FIqh3rSIUmA)

But I couldn't solve this issue.

Any suggestions?

Regards,

Baris .

Jaime Valencia · ‎03-21-2016

OK, in the video I never mention that just following that procedure, will prevent you from getting that message, you only did half of the work, you signed your certs, NOW you need to distribute them to the machines.

Yes, the machine has the root cert, so it will trust the CUCM cert (once it's installed), but it doesn't actually have the cert for CUCM installed. If the machines do not have those certs pre-installed, they will need to install them as you login.

Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_5/CJAB_BK_C6FFF6D8_00_cisco-jabber-115-planning-guide/CJAB_BK_C6FFF6D8_00_cisco-jabber-115-planning-guide_chapter_0111.html#CJAB_RF_C47367A0_00

HTH

java

if this helps, please rate

View solution in original post

Jaime Valencia · ‎03-21-2016

OK, in the video I never mention that just following that procedure, will prevent you from getting that message, you only did half of the work, you signed your certs, NOW you need to distribute them to the machines.

Yes, the machine has the root cert, so it will trust the CUCM cert (once it's installed), but it doesn't actually have the cert for CUCM installed. If the machines do not have those certs pre-installed, they will need to install them as you login.

Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_5/CJAB_BK_C6FFF6D8_00_cisco-jabber-115-planning-guide/CJAB_BK_C6FFF6D8_00_cisco-jabber-115-planning-guide_chapter_0111.html#CJAB_RF_C47367A0_00

HTH

java

if this helps, please rate

Bar1s · ‎03-22-2016

Hello Jaime,

According to the this document actually I was expecting to not to prompted any certificate question.

So I have to populate CA signed certificates(tomcat, xmpp) to the domain clients, right ?

Regards,

Baris.

Jaime Valencia · ‎03-22-2016

No, your understanding of the docs is wrong, not because you simply sign them, you're all done.

The process has not changed.

If you DO NOT want those accept/deny options when logging into Jabber, you need to make sure the certificates (explained in the doc I provided, and the one you pointed) ARE ALREADY in the machine TRUST STORE.

And I'm not talking about the root certificate, I mean the CUCM/IM&P/CUC/etc certificates, need to be in the LOCAL MACHINE TRUST STORE.

Did you read what I posted in my previous reply?????

HTH

java

if this helps, please rate

Bar1s · ‎03-22-2016

Thanks Jaime for explaining. I just confused little bit. Now is ok.

Regards,

Baris.