Ya sorry I meant the parent domain. The issue ended up being that the Incommon wasn't setup right. Their 800 tech support fixed it in like 40 seconds which was pretty cool.
I believe the 10.5 systems add the parent domain, or maybe it is just Multiserver certs. Justin Justin, TLDs are like .com, .net, .org , etc. I think you meant parent domain. Also, is that a feature of the multiserver cert, because I don't see CER for example putting the parent domain in the CSR. On Tue, Jul 21, 2015 at 10:24 AM Justin Steinberg <jsteinb...@gmail.com> wrote: > While we are on the topic of certs, has anyone had issues with certain CAs > not allowing top level domain as a SAN (e.g. cisco.com) ? > > GoDaddy would complain in the UI that you shouldn't have a top level > domain as a SAN but would still sign the cert. I'm having a problem know > with Internet2/Incommon where it won't let me put a top level domain in the > cert as a SAN. It just won't take the CSR. > > Justin > > On Tue, Jul 21, 2015 at 8:16 AM, NateCCIE <natec...@gmail.com> wrote: > >> I think it’s 15 SANS plus *.domain.com and domain.com >> >> >> >> Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm >> >> >> >> >> >> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On >> Behalf Of *Anthony Holloway >> *Sent:* Monday, July 20, 2015 11:49 PM >> *To:* Charles Goldsmith; Ian Anderson >> *Cc:* Cisco VOIP >> >> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates >> >> >> >> That's great to hear about digicert. I just went through a rough time >> with Comodo trying to get multiserver certs and my CNAMEs in the SAN field. >> How many SAN entries does digicert limit you to and at what price per year? >> >> >> >> On Mon, Jul 20, 2015 at 11:19 AM Charles Goldsmith <wo...@justfamily.org> >> wrote: >> >> One thing of note, Digicert works very well with all of our UC apps with >> their UC certificate. Add all of your server names as SAN's, as well as >> the domain name, and just duplicate the certificate for each app, changing >> the CN. It works well and also Digicert has great support. >> >> >> >> On Sun, Jul 19, 2015 at 4:27 AM, Ian Anderson <i...@andersoi.co.uk> wrote: >> >> Hi Nate, >> >> >> >> I think that the concern of using wildcards generaly comes from the >> security and compliance folks in that if the private key of any of the >> servers was to be compromised then the resulting public and private keys >> could be used to impersonate any subdomain, e.g e-payments.domain.com.. >> >> >> >> That said, as long as the customer is aware of the risk then the digicert >> is a fantastic option, although a lot of these issues go away in 10.5. >> >> >> >> The only app I've had it completely throw a wobble on so far is UCCX 9.0 >> as this was checking the CN on certificate upload and didn't like * even >> though the server name as in the SAN. >> >> >> >> Cheers >> >> >> >> Ian >> >> >> >> On 16 July 2015 at 02:35, NateCCIE <natec...@gmail.com> wrote: >> >> Most of the time wildcard certs mean you have a CSR and a private key >> generated by something, and then you upload the private key and the public >> key to lots of servers. The application would need to be able to upload a >> private key and not require its own CSR. >> >> >> >> Cucm, unity cxn, uccx, do not support uploading a private key. >> >> >> >> Expressway, I think conductor do allow you to upload a private key. >> >> >> >> But what makes digicert really cool is you can buy the wildcard cert, >> then you keep reissuing a new certificate from that one purchase. >> >> >> >> You can do this from what I understand an unlimited times. >> >> >> >> There may be other CAs that do this. I saw one the seemed like it was >> going to work, but since the CSR did not include the * as a SAN, they would >> not issue the cert. >> >> >> >> Digicert with the Willard includes the *.domain.com and domain.com SANs >> automatically, and you can specify about 15 other SANs for each CSR/cert. >> >> >> >> So cucm and the other apps are happy because the cert was generated using >> its own CSR. >> >> >> >> Using these certs, I had one TAC case where cucm balked at the cert, but >> I could upload the cluster wide tomcat SAN cert via im&p. This turned out >> to be a problem with the domain casing not matching between all of the >> servers and the cert. always use domain.com and not DOMain.com and life >> is happy. >> >> >> >> I am not affiliated with digicert other than they are here in Utah also. >> It just makes life really easy to tell the customer to buy this one cert >> and O I can make all of the Cisco UC/jabber cert errors go away! >> >> >> >> Ps. Has anyone figured out what to do with conductor wanting IP address >> in the SAN? >> >> Sent from my iPhone >> >> >> On Jul 15, 2015, at 10:42 AM, Anthony Holloway < >> avholloway+cisco-v...@gmail.com> wrote: >> >> I'm a little confused here. According to this article: >> http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, >> and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, >> wild card certs are not supported. Are we talking about the same thing >> here? >> >> >> >> On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen < >> peders...@bennettjones.com> wrote: >> >> Digicert lets you put your domain and subdomains of any level as SANs. >> It’s great! They even generated a duplicate certificate for me with a >> different root CA that was supported with WebEx enabled Telepresence. We >> use their wildcard certificates on all of our UC servers. >> >> >> >> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On >> Behalf Of *Heim, Dennis >> *Sent:* 15 July 2015 8:28 AM >> *To:* Ian Anderson; NateCCIE; Cisco VOIP >> >> >> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates >> >> >> >> I’ve found the hardest thing to find a cert providers that likes putting >> the domain as a san such as DNS=mycollab.com. Has anyone found any >> providers that are kosher with that? From one of the Cisco Live sessions, I >> was told this is needed for service discovery to function properly. >> >> >> >> *Dennis Heim | Emerging Technology Architect (Collaboration)* >> >> World Wide Technology, Inc. | +1 314-212-1814 >> >> [image: twitter] <https://twitter.com/CollabSensei> >> >> <image002.png><image003.png> <+13142121814><image004.png> >> >> “There is a fine line between Wrong and Visionary. Unfortunately, you >> have to be a visionary to see it." – Sheldon Cooper >> >> >> >> Click here to join me in my Collaboration Meeting Room >> <https://wwt.webex.com/meet/dennis.heim> >> >> >> >> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net >> <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Ian Anderson >> >> >> *Sent:* Wednesday, July 15, 2015 10:18 AM >> *To:* NateCCIE; Cisco VOIP >> *Subject:* Re: [cisco-voip] Digicert Wildcard certificates >> >> >> >> >> >> On 15 July 2015 at 15:02, NateCCIE <natec...@gmail.com> wrote: >> >> Did you put all of your SANs in the digicert page? >> >> z >> >> I have this working on all of my expressway installs. >> >> Hi Nate, >> >> >> >> Thanks for the quick response, just for preservation in the archives for >> future posterity and confirmation that digicert seems fine despite the >> warnings in the manuals, it seemed I was running into 2 separate issues. >> >> >> >> 1) I had uploaded the intermediate cert, but needed to manually download >> and upload the root CA >> >> 2) That then got me past the TLS error, only to find that I had >> fat-fingered the hostname in the SAN field :-( >> >> >> >> Cheers >> >> >> >> Ian >> >> >> >> The contents of this message may contain confidential and/or privileged >> subject matter. If this message has been received in error, please contact >> the sender and delete all copies. Like other forms of communication, e-mail >> communications may be vulnerable to interception by unauthorized parties. >> If you do not wish us to communicate with you by e-mail, please notify us >> at your earliest convenience. In the absence of such notification, your >> consent is assumed. Should you choose to allow us to communicate by e-mail, >> we will not take any additional security measures (such as encryption) >> unless specifically requested. >> >> If you no longer wish to receive commercial messages, you can unsubscribe >> by accessing this link: http://www.bennettjones.com/unsubscribe >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> >> >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip