Hi Gordon,

Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.

While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?

Regards

I managed to find the workaround.

In coordination with our security engineer, Before Submitting to CA, we could add the SAN manually in the CSR and that should suffice the need.

Hi,

I need this too, how your partner manage to add the IP address into the CSR.

Thanks in advance.

Same problem. I think our internal CA will allow us to inject a replacement for the SAN inside the CSR.

The reason I mention this is that, CUCM stripped out the IP addresses within the SAN list when I attempted to include IP addresses:

set web-security "xxxx" "xxxx" City State CC hostname.local,10.1.1.1,hostname2.local,10.1.1.2

I can't see how migrating to FQDNs in the processnode table/System > Server is acceptable to everyone. If DNS goes down, we still want to make phone calls!

I will test injecting IP addresses via the internal CA and report back.

Thank you for your response, i have a Microsoft PKI, do you know how can i add this field through the CA into the CSR,

Thanks in advanced.

I haven't used the Microsoft CA and I'm not a PKI guy so difficult to advise you I'm afraid. Having said that, there is a screenshot showing SAN being added on a Microsoft CA here: http://terenceluk.blogspot.com/2017/09/adding-san-subject-alternative-name.html 

My colleague mentioned some success in getting IP addresses listed in the CSR SAN field using the "set web-security" command though, so I'm going to try this method again tomorrow.

I'm informed that browser behaviour has changed over the years and although it was once appropriate to specfiy dnsName=<x.x.x.x>, these days RFC5280 is the recommended approach with iPAddress=<x.x.x.x>. I'm not sure how the Jabber client handles all this, but at least for us dnsName=10.1.1.1 is working fine as a SAN for us.

I should also mention that it looks like certificates & dns mostly takes place at Jabber discovery and startup. Since we use an SRV query to locate the UDS servers, a working DNS system is essential for Jabber sign in. I don't think certificates come into play when placing or receiving a phone call.

Hi James,

How can the certificate list iPAddress=<x.x.x.x> instead of dnsName=<x.x.x.x>, that's my wish. But when I generate CSR with the command "set web-security", it shows only dnsName=<x.x.x.x>, how can we modify it?

In CM v10.5 you cannot specify an IP address SAN and expect the field to be designated iPAddress - this wasn't the industry norm when v10.5 was written. I don't know about something newer like v14 - it would be a good question for TAC or someone with access to a v14 cluster.

A possible workaround would be to attach a SAN field alongside the CSR and ask your CA to sign it. This is apparently not good practice for the integrity of the CSR itself (more information here).