Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
5
Replies

Tomcat Certificate renewal adding hostname in SAN in both CUCM and Unity 11.5.1

Go to solution
Mike Pagano
Level 1
Level 1

‎10-19-2020 06:55 AM

The tomcat CSR generator is adding both the hostname and FQDN in the SAN area of the request, even when the SAN area is blank. The expiring certificates were installed on on older version of CUCM and Unity, I checked the CSR's and the SAN area is completely blank. This is someone new to 11.5.1.

 

My CA signing system does not support the hostname, so the provider has to remove it from the request before creating the certificate. When I try to import this certificate the server fails to import it because it doesn't match the CSR.

I'm wondering if there is a setting somewhere that well stop the server from adding this in the SAN.

 

I put in BOLD and example of what was added with a blank SAN in the CSR generator screen.

SANS: ach-cucvm-pub, ACH-CUCVM-PUB.win.ad.jhu.edu

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike Pagano
Level 1
Level 1

‎10-20-2020 08:39 AM

We're using an internal CA signing system.

 

Turns out the web-security profile had a SANS name configured.  Although it was the FQDN of the server, the CSR generator was adding the hostname to the SANS area.  I ran "set web-security" from CLI with a blank SANS field.  The CSR generator now creates a CSR with a blank SANS field.  This resolved the issue.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nithin Eluvathingal
VIP
VIP

‎10-19-2020 07:35 AM

For me it include the parent domain, that my company domain.

 

Screenshot 2020-10-19 at 6.29.40 PM.png

 

since these are internal servers you can get this certificate signed by an Internal CA. 

 



Response Signature


0 Helpful

Go to solution
Mike Pagano
Level 1
Level 1
In response to Nithin Eluvathingal

‎10-19-2020 08:15 AM

Mine did that too, but I removed it.  

 

It still added the hostname and FQDN despite my attempt to make it blank.

I need to know how to generate the CSR with the SAN blank?

0 Helpful

Go to solution
Nithin Eluvathingal
VIP
VIP
In response to Mike Pagano

‎10-19-2020 08:52 AM

u can get the certificate signed by internal CA . I never faced any issues with SAN field and internal CA signing.

 

 



Response Signature


0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to Mike Pagano

‎10-19-2020 10:38 AM

What type of CA are you using, a public or an internal?



Response Signature


0 Helpful

Go to solution
Mike Pagano
Level 1
Level 1

‎10-20-2020 08:39 AM

We're using an internal CA signing system.

 

Turns out the web-security profile had a SANS name configured.  Although it was the FQDN of the server, the CSR generator was adding the hostname to the SANS area.  I ran "set web-security" from CLI with a blank SANS field.  The CSR generator now creates a CSR with a blank SANS field.  This resolved the issue.

0 Helpful
Customers Also Viewed These Support Documents