'Re: [cisco-voip] Wildcard certificates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cisco-voip
Subject:    Re: [cisco-voip] Wildcard certificates
From:       NateCCIE <nateccie () gmail ! com>
Date:       2020-06-19 12:53:32
Message-ID: CBB8CC86-41CB-4981-9690-686B09DA5512 () gmail ! com
[Download RAW message or body]

Yeah. In my experience, the cert can have as many extra sans as you want, but all of \
the sans the cucm csr has have to be there, and spelled correctly. 

Sent from my iPhone

> On Jun 19, 2020, at 1:02 AM, James Andrewartha <jandrewartha@ccgs.wa.edu.au> wrote:
> 
> It helps if I spell speeddial instead of speedidal 🙄
> 
> > On 19/6/20 2:21 pm, Anthony Holloway wrote:
> > I've got some thoughts, though, I've never done this before, so it's
> > just guessing.
> > 
> > You don't need *.domain.com <http://domain.com> in your SAN.
> > 
> > Just generate your CSR on CUCM as if you were not using wildcard
> > certificates.  Then when you dupe your wildcard on digitcert's site,
> > manually add the exact same SANs in your CSR.
> > 
> > The resulting identity certificate will not have a CN which matches your
> > CSR, but the SANs will match, and according to the thread you linked:
> > 
> > /"The CN doesn't match but CUCM doesn't seem to care as long as the SAN
> > fields line up."/
> > 
> > On Thu, Jun 18, 2020 at 11:58 PM James Andrewartha
> > <jandrewartha@ccgs.wa.edu.au <mailto:jandrewartha@ccgs.wa.edu.au>> wrote:
> > 
> > Hi voipers,
> > 
> > I'm trying to update the wildcard on our CUCM/IMP servers, and am
> > hitting a problem. We have a digicert wildcard, which I used
> > successfully before, but now when generating the certificate the UI
> > complains that *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> isn't a
> > valid certificate name or SAN. I
> > hacked the javascript to ignore this warning, and generated a CSR with
> > *.ccgs.wa.edu.au <http://ccgs.wa.edu.au> in the SAN:
> > 
> > $ openssl req -in tomcat\(8\).csr -text|grep DNS
> > DNS:callmanager1.voip.ccgs.wa.edu.au
> > <http://callmanager1.voip.ccgs.wa.edu.au>,
> > DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>, DNS:ccgs.wa.edu.au
> > <http://ccgs.wa.edu.au>,
> > DNS:speeddial.voip.ccgs.wa.edu.au
> > <http://speeddial.voip.ccgs.wa.edu.au>,
> > DNS:callmanager2.voip.ccgs.wa.edu.au
> > <http://callmanager2.voip.ccgs.wa.edu.au>,
> > DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
> > DNS:callmanager.voip.ccgs.wa.edu.au
> > <http://callmanager.voip.ccgs.wa.edu.au>,
> > DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
> > 
> > But when I try to upload the certificate to CUCM, it complains "CSR SAN
> > and Certificate SAN does not match". But the SANs on the certificate are
> > the same (albeit in a different order):
> > 
> > $ openssl x509 -in ../ssl/digicert/cucm-star_ccgs_wa_edu_au.crt -text
> > > grep DNS
> > DNS:*.ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
> > DNS:ccgs.wa.edu.au <http://ccgs.wa.edu.au>,
> > DNS:voip.ccgs.wa.edu.au <http://voip.ccgs.wa.edu.au>,
> > DNS:callmanager1.voip.ccgs.wa.edu.au
> > <http://callmanager1.voip.ccgs.wa.edu.au>,
> > DNS:callmanager2.voip.ccgs.wa.edu.au
> > <http://callmanager2.voip.ccgs.wa.edu.au>,
> > DNS:speedidal.voip.ccgs.wa.edu.au
> > <http://speedidal.voip.ccgs.wa.edu.au>,
> > DNS:callmanager.voip.ccgs.wa.edu.au
> > <http://callmanager.voip.ccgs.wa.edu.au>,
> > DNS:presence.voip.ccgs.wa.edu.au <http://presence.voip.ccgs.wa.edu.au>
> > 
> > I found
> > https://community.cisco.com/t5/unified-communications/wildcard-certificate-on-call-manager-10-5/td-p/2757989
> >  from 2016 which says they got it working then, and I also got it working
> > in 2018 when the cert was last renewed, with *.ccgs.wa.edu.au
> > <http://ccgs.wa.edu.au> as the
> > common name and a SAN. But I can't get it working now. Anyone got any
> > thoughts? Running CUCM 10.5.2.15900-8
> > 
> > Thanks,
> > 
> > -- 
> > James Andrewartha
> > Network & Projects Engineer
> > Christ Church Grammar School
> > Claremont, Western Australia
> > Ph. (08) 9442 1757
> > Mob. 0424 160 877
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> > 
> 
> 
> -- 
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[prev in list] [next in list] [prev in thread] [next in thread] 