Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
10
Helpful
5
Replies

Jabber Certificate Mismatch IP vs FQDN

Vishal Bhardwaj
Level 1
Level 1

‎04-19-2020 09:11 AM

Hi,

In my customer's environment, the CUCM and CUC servers are configured with IPs as they didn't want to go for DNS. At that time there was no requirement of Jabber but due to Current Covid situation users have to work from home and use Jabber. But now, when they launch jabber it's prompting for Certificate Accept warning (we have around 22 servers in total and sometimes they have to accept 5 or 10 warnings).

I had generated a CSR, got it signed by customer's CA and uploaded (they installed it on their PC as well) but still getting Warning message for IPs of Servers. Certificates generated were for FQDNs however.

 

In UC Service and profile I am giving IPs as well. Can someone please guide me if there's a workaround which can fix this?

0 Helpful
5 Replies 5

Roger Kallberg
VIP
VIP

‎04-19-2020 10:48 AM

There is no other way than to configure this to use FQDN. This is per current best practice and recommendation from Cisco.



Response Signature


Chris Deren
Hall of Fame
Hall of Fame

‎04-21-2020 05:33 AM

You would need to add the CUCM IP addresses as SANs to your Tomcat certificate, public CAs will not let you do that, but if your Tomcat certs are signed by internal CA then that might be an option.  To do that you'd need to add the SAN using set web-security command via CLI, generate new CSR, have it signed and then install on CUCM. If that is not an option for you then you need to change CUCM references under System to FQDNs  to avoid cert warnings on Jabber, when you do that make sure all of your phones get DNS server from DHCP scope.

Vishal Bhardwaj
Level 1
Level 1
In response to Chris Deren

‎04-21-2020 12:44 PM

Hi Chris,

 

I did generate a new CSR and got it CA signed by Customer. Good news is that now, instead of having to accept 10+ certificates they have to accept only 2, 1 for CUCM and 1 for UnityConnection. Customer is okay with that so it works out fine at the end. Changing IP to FQDN will be a big change for all 15000 phones

 

Thanks for your help and answer :)

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame
In response to Vishal Bhardwaj

‎04-21-2020 04:40 PM

Great, which certs are still being presented as untrusted?

 

Don't forget to rate all useful posts!

Chris

0 Helpful

Roger Kallberg
VIP
VIP
In response to Vishal Bhardwaj

‎04-21-2020 10:37 PM - edited ‎04-21-2020 10:39 PM

Even if the change from IPs to FQDN might sound like a big thing my experience with this is that’s it’s not such a big deal. As long as the phones has a DNS server and it would usually be served this already by DHCP then it’s rather transparent. The phones will pickup a new configuration file, with the FQDNs for the CM nodes in the CMG, next time it’s reset. It’s not much more to it.



Response Signature


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents