Solved: SSL Certificate Not Accepted

scooter817 · ‎08-24-2017

Hi Everyone

I just started a new position on Monday and they have UCCX onsite, they are having an issue and I wanted to know if anyone has seen this before. I'm attaching a screenshot that I took of the error the users are getting. Thanks in advance for the help and I look forward to your replies and have a great day.

Slavik Bialik · ‎08-24-2017

No, it's defenatly not the cause of your issue.

By the way, a small tip. When you're going to export CSRs from your CUCMs for signing pay attention that you can select the "Multi-Server certificate" options. It'll output you a CSR that represents all the nodes in the cluster, as it is putting all the FQDNs of all your cluster nodes in the SAN (Subject Alternative Name) field. That way you don't need to sign each node seperately, but export one CSR (for single service, like Tomcat) for all nodes and upload only one certificate after signing it.

View solution in original post

Slavik Bialik · ‎08-24-2017

Hi,

You need to verify that you're trying to access UCCX through a computer that is in the domain usconcrete.com, and also validate that the UCCX Tomcat certificate is signed by this domain CA.

If you're using Chrome for example, just press F12, it'll open you the developer window, go to Security tab and press "View Certificate".

Please attach us a printscreen of the main Window of the certificate, also go to "Details" tab and check what is the Signature Hash Algorithm that is stated into the certificate. If it's SHA1, so that's probably the issue, and you'll have to regenerate the certificate to SHA256, if it is a a self-signed, or generate a CSR with SHA256 and sign it in your internal certificate authority that is inside your domain and that you domain trusts it.

scooter817 · ‎08-24-2017

I've attached the screen shot you were speaking of and the algorrithm is SHA1

Slavik Bialik · ‎08-24-2017

100% sure that this is the issue. Microsoft released a while ago a security update that makes your PC to untrust certificates that are signed with an hasing algorithm of SHA1. You can read more about it here:

https://technet.microsoft.com/en-us/library/security/4010323.aspx

Anyway, as I can see you're currently using a self-signed certificate, so you can regenerate the certificate with SHA256. But I'm almost sure that the certificate error will persist, as it is a self-signed certificate and your computer won't trust it unless you'll install this certificate locally on your PC, which isn't a good solution, especially if you have lots of agents that needs to gain access to the UCCX. I would advise you to generate a CSR, and sign it in your domain CA 'usconcrete.com' and that way all the agents (that are hopefully part of this domain) will automatically trust this certificate that is signed by your internal CA, and you won't need to install the certificate locally on each computer. Just make sure that when you sign it in your CA, that your CA signs certificates with hasing algorithm of SHA256, also.

scooter817 · ‎08-24-2017

Let me ask you this, do you think that by having another certificates that are expired would cause this error. I currently have 8 certificates on CUCM that are expired and I'm gong to fix the issue next Wednedsay on our maintenance window.

Slavik Bialik · ‎08-24-2017

No, it's defenatly not the cause of your issue.

By the way, a small tip. When you're going to export CSRs from your CUCMs for signing pay attention that you can select the "Multi-Server certificate" options. It'll output you a CSR that represents all the nodes in the cluster, as it is putting all the FQDNs of all your cluster nodes in the SAN (Subject Alternative Name) field. That way you don't need to sign each node seperately, but export one CSR (for single service, like Tomcat) for all nodes and upload only one certificate after signing it.