Re: [cisco-voip] Digicert Wildcard certificates
Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers. The application would need to be able to upload a private key and not require its own CSR. Cucm, unity cxn, uccx, do not support uploading a private key. Expressway, I think conductor do allow you to upload a private key. But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase. You can do this from what I understand an unlimited times. There may be other CAs that do this. I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert. Digicert with the Willard includes the *.domain.com and domain.com SANs automatically, and you can specify about 15 other SANs for each CSR/cert. So cucm and the other apps are happy because the cert was generated using its own CSR. Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via imp. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use domain.com and not DOMain.com and life is happy. I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away! Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN? Sent from my iPhone On Jul 15, 2015, at 10:42 AM, Anthony Holloway avholloway+cisco-v...@gmail.com wrote: I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here? On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen peders...@bennettjones.com wrote: Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers. From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Heim, Dennis Sent: 15 July 2015 8:28 AM To: Ian Anderson; NateCCIE; Cisco VOIP Subject: Re: [cisco-voip] Digicert Wildcard certificates I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly. Dennis Heim | Emerging Technology Architect (Collaboration) World Wide Technology, Inc. | +1 314-212-1814 image002.pngimage003.pngimage004.png “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Room From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ian Anderson Sent: Wednesday, July 15, 2015 10:18 AM To: NateCCIE; Cisco VOIP Subject: Re: [cisco-voip] Digicert Wildcard certificates On 15 July 2015 at 15:02, NateCCIE natec...@gmail.com wrote: Did you put all of your SANs in the digicert page? z I have this working on all of my expressway installs. Hi Nate, Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues. 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-( Cheers Ian The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link:
Re: [cisco-voip] Nortel 81C / CS1000 SIP Trunk to CUCM 10.5.2
I was going to mention the FQDN issue as I ran into it last month. Also, we had a scenario where the Nortel was sending SRTP keys in the SDP and it would cause issues, though I believe the symptom there was one way audio and not a complete failure. The fix for that was to disable SRTP in the COS on the Nortel. Rob -Original Message- From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Daniel Pagan Sent: Tuesday, July 14, 2015 9:30 AM To: Michael T. Voity; voip puck Subject: Re: [cisco-voip] Nortel 81C / CS1000 SIP Trunk to CUCM 10.5.2 Is your Nortel PBX sending a FQDN in the Contact header? This is important because in 10.5(2) CUCM performs a SRV and A Record lookup on FQDNs contained in a SIP Contact header. If this lookup fails, then expect to see a CANCEL followed by a BYE. I encountered this a few times over the past few months and ended up creating a defect against it. Check out CSCuu84269. If you want, I wouldn't mind taking a quick look at your detailed CCM SDL traces offline and letting you know if you're experiencing this defect. If you are, I'll send you a sample LUA script to use for converting the FQDN to IP address as a workaround which you can use for testing and workaround purposes (... and I can't guarantee this will work for you). Hope this helps. - Dan -Original Message- From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Michael T. Voity Sent: Monday, July 13, 2015 9:56 AM To: voip puck Subject: [cisco-voip] Nortel 81C / CS1000 SIP Trunk to CUCM 10.5.2 Hello, Before we installed our Cisco CM 10.5.2 system everything here at the University is fed from a Nortel Avaya 81c / CS1000 system. The Telcom group has a bunch of systems on it that support SIP and SIP gateways. We setup a SIP trunk between the two systems from a guide that Avaya provided. It works fine like 99% of the time. I am finding that I have to reset the SIP trunk every couple of days because it looks like the Nortel is busying out all the channels and it can only pass certain traffic. Example is that someone from Nortel land dials a 5 digit extension that has been routed to CUCM, the line on CUCM rings once and then discos the call. Looking at RTMT on the SIP traffic I can tell that the Nortel is sending the BYE message on the trunk right when the CUCM sends the RINGING The only way that I have found to correct this is to reset the SIP trunk from CUCM. Has anyone see an issue like this and or heard of this? Any ideas would be helpful! -Mike -- Michael T. Voity Network Engineer University of Vermont ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Phones rebooted whilst in SRST
Hi All We have an issue where phones (7821) that have registered in SRST and then been rebooted will not re register in SRST untill roughly 20 mins has past. After the phone has rebooted is does then not contain any servers in its Active / Standby server list so the phone will never know where to register. If you look at a phone that has registered in SRST but not been rebooted then you see the Active Server as the SRST router and Standby servers as the CUCM’s. So if the phone loses its server list during a reboot and doesn’t know where to register is this normal operation? What I don’t understand though is why the phone does register with the SRST router after 20 mins. When this happens and you check the phone server list it just shows the Active server as the SRST router but nothing for Standby servers, so how does the phone register with the SRST? Any thoughts on what we have observed here? Anyone tried rebooting a SRST registered phone before and seen it register back with the SRST GW? Regards Nick ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Digicert Wildcard certificates
To Dennis' point you don't have to put DNS=mycollab.com in the SAN. There is an alternative to use DNS=collab-edge.mycollab.com http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf [image: Inline image 1] On Wed, Jul 15, 2015 at 2:16 PM, Heim, Dennis dennis.h...@wwt.com wrote: If you have not seen the Cisco Live session on collab security I would definitely recommend it. It had some good discussion on certificates. Based on that Wildcard certs will never be supported on CUCM and the like and are frowned upon within the security community. *Dennis Heim | Emerging Technology Architect (Collaboration)* World Wide Technology, Inc. | +1 314-212-1814 [image: twitter] https://twitter.com/CollabSensei [image: chat][image: Phone] +13142121814[image: video] “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Room https://wwt.webex.com/meet/dennis.heim *From:* Eric Pedersen [mailto:peders...@bennettjones.com] *Sent:* Wednesday, July 15, 2015 12:51 PM *To:* Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP *Subject:* RE: [cisco-voip] Digicert Wildcard certificates Good point. I spoke too soon: we use wildcard certificates on VCS-E and WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard certificates either but everything seems to work provided the hostnames are configured as SANs. CUCM might be the same with the multi-server certificate but I haven’t tried. *From:* Anthony Holloway [mailto:avholloway+cisco-v...@gmail.com avholloway+cisco-v...@gmail.com] *Sent:* 15 July 2015 10:43 AM *To:* Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP *Subject:* Re: [cisco-voip] Digicert Wildcard certificates I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here? On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen peders...@bennettjones.com wrote: Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers. *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf Of *Heim, Dennis *Sent:* 15 July 2015 8:28 AM *To:* Ian Anderson; NateCCIE; Cisco VOIP *Subject:* Re: [cisco-voip] Digicert Wildcard certificates I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly. *Dennis Heim | Emerging Technology Architect (Collaboration)* World Wide Technology, Inc. | +1 314-212-1814 [image: twitter] https://twitter.com/CollabSensei [image: chat][image: Phone] +13142121814[image: video] “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Room https://wwt.webex.com/meet/dennis.heim *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Ian Anderson *Sent:* Wednesday, July 15, 2015 10:18 AM *To:* NateCCIE; Cisco VOIP *Subject:* Re: [cisco-voip] Digicert Wildcard certificates On 15 July 2015 at 15:02, NateCCIE natec...@gmail.com wrote: Did you put all of your SANs in the digicert page? z I have this working on all of my expressway installs. Hi Nate, Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues. 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-( Cheers Ian The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your
[cisco-voip] Cisco IMP user count - total user count or configured user count?
I'm reading through the IMP v9 documents and it's referring to user count maximums and thresholds. I'm wondering how these apply. Our CallManager v9 setup is LDAP synchronized to our enterprise AD with about 70,000 users being brought into the directory. Not all of these users will be IMP users, in fact, only a small portion of them will be. I'm assuming that the user count maximums and thresholds only apply to configured users, say those with Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile) enabled in the user configuration page. Do I got it right? Do the number of phones I have in my cluster have any bearing? Is it just users that are enabled for IMP? Thanks --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 le...@uoguelph.ca www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Digicert Wildcard certificates
If you have not seen the Cisco Live session on collab security I would definitely recommend it. It had some good discussion on certificates. Based on that Wildcard certs will never be supported on CUCM and the like and are frowned upon within the security community. Dennis Heim | Emerging Technology Architect (Collaboration) World Wide Technology, Inc. | +1 314-212-1814 [twitter]https://twitter.com/CollabSensei [chat]xmpp:dennis.h...@wwt.com[Phone]tel:+13142121814[video]sip:dennis.h...@wwt.com “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Roomhttps://wwt.webex.com/meet/dennis.heim From: Eric Pedersen [mailto:peders...@bennettjones.com] Sent: Wednesday, July 15, 2015 12:51 PM To: Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP Subject: RE: [cisco-voip] Digicert Wildcard certificates Good point. I spoke too soon: we use wildcard certificates on VCS-E and WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard certificates either but everything seems to work provided the hostnames are configured as SANs. CUCM might be the same with the multi-server certificate but I haven’t tried. From: Anthony Holloway [mailto:avholloway+cisco-v...@gmail.com] Sent: 15 July 2015 10:43 AM To: Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP Subject: Re: [cisco-voip] Digicert Wildcard certificates I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here? On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen peders...@bennettjones.commailto:peders...@bennettjones.com wrote: Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers. From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.netmailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Heim, Dennis Sent: 15 July 2015 8:28 AM To: Ian Anderson; NateCCIE; Cisco VOIP Subject: Re: [cisco-voip] Digicert Wildcard certificates I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly. Dennis Heim | Emerging Technology Architect (Collaboration) World Wide Technology, Inc. | +1 314-212-1814 [twitter]https://twitter.com/CollabSensei [chat][Phone]tel:+13142121814[video] “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Roomhttps://wwt.webex.com/meet/dennis.heim From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ian Anderson Sent: Wednesday, July 15, 2015 10:18 AM To: NateCCIE; Cisco VOIP Subject: Re: [cisco-voip] Digicert Wildcard certificates On 15 July 2015 at 15:02, NateCCIE natec...@gmail.commailto:natec...@gmail.com wrote: Did you put all of your SANs in the digicert page? z I have this working on all of my expressway installs. Hi Nate, Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues. 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-( Cheers Ian The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe ___ cisco-voip mailing list cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net
Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page? I have this working on all of my expressway installs. Sent from my iPhone +1 801 718 2308 On Jul 15, 2015, at 7:35 AM, Ian Anderson i...@andersoi.co.uk wrote: Hi All, I'm resurrecting an old thread from the deep, where Nate suggested using DigiCert wildcard certificates for UC infrastructure. I'm trying to use some of these for a Expressway MRA implementation, and am struggling with the TLS-verification between the Expressway-E and Expressway-C. There are a few posts out there on 'tinternet that seem to suggest that Wildcard certificates aren't supported, however Nate's post below indicated that the digicert wildcards worked fine with expressway. Before I put a permanent dent in this desk with my head, has anyone else had success with Digicert wildcard certs in an Expressway MRA deployment? Cheers Ian On 5 Feb 2015, at 16:51, NateCCIE nateccie at gmail.com wrote: Use DIGICERT! You can get a wildcard cert from them, and use it over and over. So you just generate the cert based on the CSR from each app and it loads right in. Works great on CUCM, CUC, CUP, Expressway! ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Digicert Wildcard certificates
On 15 July 2015 at 15:02, NateCCIE natec...@gmail.com wrote: Did you put all of your SANs in the digicert page? I have this working on all of my expressway installs. Hi Nate, Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues. 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-( Cheers Ian ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] External Call from Movi Client to Conductor fails after 5 sec
Sounds like a codec issue. Are both sides negotiating the same codec? Thanks, Ryan Original Message From: Robert Schuknecht rschukne...@gmx.de Sent: Wednesday, July 15, 2015 09:37 AM To: cisco-voip@puck.nether.net Subject: [cisco-voip] External Call from Movi Client to Conductor fails after 5 sec Hi all, I am facing a problem with an external call from a movi client (movi is registered to some external video system) which disconnects after about 5-7 sec. Setup: External Movi Client -à Expressway-E-àExpressway-C -à CUCM Cluster -à Conductor -à vTP Server In the CUCM Traces I have seen that there is an re-invite from conductor towards CUCM and CUCM sends the re-invite towards Exprassway-C. After that I am seeing an Bye from CUCM towards Expressway-C with cause code 47 Resource Unavailable. I am using CUCM Version 10.5.2, Expressway Version X8.5.x, Conductor Version X3.xxx Any hint would be very welcome! /Robert ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] ELM/PLM Licensing alerts - CUCM license RTMT alerts
Has anyone seen the Call Manager RTMT alert for CiscoGraceTimeLeft, CiscoNoProvisionTimeout, CiscoSystemInDemo, or CiscoSystemInOverage occur? The RTMT alerts are all enabled (default) but I've seen multiple call manager 9.x and 10.x go over the licenses in ELM/PLM and get out of compliance by a few phones but never seen these alerts turn red in RTMT or nothing in the local syslog for them either. I've been over by 1 Enhanced license for 3-4 days now and have 58 days left and none of these have raised in RTMT. The documentation states the RTMT alert is where to enable these and they are on by default. Is there some other knob not covered in the documentation? The ELM and PLM documentation state it is up to the application to enforce and alert on licensing matters. I do not see a way to enable a syslog server on the PLM server. I have snmp enabled but am not seeing any snmp traps either. Has anyone looked into polling PLM directly to monitor licenses are compliant or not, or to get counts via SNMP? The Unity Connection alerting mechanism works fine, and unity connection stops taking calls if licensing issue goes past the grace period. That is changing in future though. Regards, Erick ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Digicert Wildcard certificates
Hi All, I'm resurrecting an old thread from the deep, where Nate suggested using DigiCert wildcard certificates for UC infrastructure. I'm trying to use some of these for a Expressway MRA implementation, and am struggling with the TLS-verification between the Expressway-E and Expressway-C. There are a few posts out there on 'tinternet that seem to suggest that Wildcard certificates aren't supported, however Nate's post below indicated that the digicert wildcards worked fine with expressway. Before I put a permanent dent in this desk with my head, has anyone else had success with Digicert wildcard certs in an Expressway MRA deployment? Cheers Ian * On 5 Feb 2015, at 16:51, NateCCIE nateccie at gmail.com https://puck.nether.net/mailman/listinfo/cisco-voip wrote: * * Use DIGICERT! You can get a wildcard cert from them, and use it over and over. So you just generate the cert based on the CSR from each app and it loads right in. * * Works great on CUCM, CUC, CUP, Expressway! * ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] External Call from Movi Client to Conductor fails after 5 sec
Hi all, I am facing a problem with an external call from a movi client (movi is registered to some external video system) which disconnects after about 5-7 sec. Setup: External Movi Client -à Expressway-E-àExpressway-C -à CUCM Cluster -à Conductor -à vTP Server In the CUCM Traces I have seen that there is an re-invite from conductor towards CUCM and CUCM sends the re-invite towards Exprassway-C. After that I am seeing an Bye from CUCM towards Expressway-C with cause code 47 Resource Unavailable. I am using CUCM Version 10.5.2, Expressway Version X8.5.x, Conductor Version X3.xxx Any hint would be very welcome! /Robert ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Digicert Wildcard certificates
I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here? On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen peders...@bennettjones.com wrote: Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers. *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf Of *Heim, Dennis *Sent:* 15 July 2015 8:28 AM *To:* Ian Anderson; NateCCIE; Cisco VOIP *Subject:* Re: [cisco-voip] Digicert Wildcard certificates I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly. *Dennis Heim | Emerging Technology Architect (Collaboration)* World Wide Technology, Inc. | +1 314-212-1814 [image: twitter] https://twitter.com/CollabSensei [image: chat][image: Phone] +13142121814[image: video] “There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it. – Sheldon Cooper Click here to join me in my Collaboration Meeting Room https://wwt.webex.com/meet/dennis.heim *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Ian Anderson *Sent:* Wednesday, July 15, 2015 10:18 AM *To:* NateCCIE; Cisco VOIP *Subject:* Re: [cisco-voip] Digicert Wildcard certificates On 15 July 2015 at 15:02, NateCCIE natec...@gmail.com wrote: Did you put all of your SANs in the digicert page? z I have this working on all of my expressway installs. Hi Nate, Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues. 1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA 2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-( Cheers Ian The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip