do you remember how you solved this ?
I have a similar issue but in my case I used Windows to sign the certificate and there is no IntermediateCA involved. The Root is installed on ExpC and ExpE but the verification fails. I also verified the same using OpenSSL service on ExpC:
openssl verify -verbose -CAfile CA.pem CERT.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
When I look at the certificate, the issued-by filed contains the correct name. Is there a way to verify the issuer against the serialnumber of the CA?
I only use internal certificates for testing-purpose
... View more
Hi Jaime, yes, this fact was clear to me. Especially i mean the fact what is best practice, if you build cucm with imp and jabber (connect internal and external with same credentials) and if you have an internal domain, let's say domain.local and external domain domain.com. Your UPN is firstname.lastname@example.org and mail is email@example.com and only domain.local is the AD Domain. My opinion is to set the username in CUCM to mail, all other attributes did not meet the requirements to have the same login external and internal. UPN is not possible, except the default firstname.lastname@example.org, because of the fact that it is not possible to configure the search base in the ldap authentication option in cucm (cucm builds the user base with the domain portion of the login) . see https://supportforums.cisco.com/discussion/11233626/active-directory-synchronization-working-authentication-not-cubm-be5000-861a The simple way is to have same domain internal and external, but that is not common. Before Jabber, Jabber MRA and those gadgets it was softball, because the login depends only in what the users were familiar.
... View more