cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
0
Helpful
5
Replies

Tomcat Certificate renewal adding hostname in SAN in both CUCM and Unity 11.5.1

Mike Pagano
Level 1
Level 1

The tomcat CSR generator is adding both the hostname and FQDN in the SAN area of the request, even when the SAN area is blank. The expiring certificates were installed on on older version of CUCM and Unity, I checked the CSR's and the SAN area is completely blank. This is someone new to 11.5.1.

 

My CA signing system does not support the hostname, so the provider has to remove it from the request before creating the certificate. When I try to import this certificate the server fails to import it because it doesn't match the CSR.

I'm wondering if there is a setting somewhere that well stop the server from adding this in the SAN.

 

I put in BOLD and example of what was added with a blank SAN in the CSR generator screen.

SANS: ach-cucvm-pub, ACH-CUCVM-PUB.win.ad.jhu.edu

1 Accepted Solution

Accepted Solutions

Mike Pagano
Level 1
Level 1

We're using an internal CA signing system.

 

Turns out the web-security profile had a SANS name configured.  Although it was the FQDN of the server, the CSR generator was adding the hostname to the SANS area.  I ran "set web-security" from CLI with a blank SANS field.  The CSR generator now creates a CSR with a blank SANS field.  This resolved the issue.

View solution in original post

5 Replies 5

For me it include the parent domain, that my company domain.

 

Screenshot 2020-10-19 at 6.29.40 PM.png

 

since these are internal servers you can get this certificate signed by an Internal CA. 

 



Response Signature


Mine did that too, but I removed it.  

 

It still added the hostname and FQDN despite my attempt to make it blank.

I need to know how to generate the CSR with the SAN blank?

u can get the certificate signed by internal CA . I never faced any issues with SAN field and internal CA signing.

 

 



Response Signature


What type of CA are you using, a public or an internal?



Response Signature


Mike Pagano
Level 1
Level 1

We're using an internal CA signing system.

 

Turns out the web-security profile had a SANS name configured.  Although it was the FQDN of the server, the CSR generator was adding the hostname to the SANS area.  I ran "set web-security" from CLI with a blank SANS field.  The CSR generator now creates a CSR with a blank SANS field.  This resolved the issue.