CUCM certificate requests with an IP as the Subject Alternative Name (SAN)

If you have ever created a Certificate Signing Request using CUCM, you may have noticed a lack of setting an IP as a SAN.  A simple solution to this if you are dealing with a Microsoft Certificate Server is to fill out the additional attributes text field. However, by default prior to doing this you will need to open up an Administrator command prompt and issue the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Now restart your certificate services under the AD CA management pane.

Finally, you simply need to add the following:

san:dns=<hostname>&dns=<fqdn>&ipaddress=<ip address>

Although this may seem like a trivial thing, you will cause errors in most modern browsers due to not having a correct SAN in the certificate. This allows you to override even improperly generated requests lacking a SAN.  But by default Microsoft Server CA doesn't even generate Certificates with a SAN from the CUCM CSR's.  As always, remember that you need your CA to be in the computer's certificate store for trust to be established.

Lastly, make sure you restart your Tomcat service via the CLI by entering:

utils service restart Cisco Tomcat

Comments

Post a Comment

Popular posts from this blog

Policy Based Routing on a Nexus

First of all, let's just admit, I am a collab guy, doing work on a Nexus is a foreign experience. While some things are intuitive not everything follows RFC's and the Nexus platform is a bit more restrictive. First of all, to get PBR going, I had to change the hardware profile, since I have no intention of using QoS internally in my lab, I decided to steal from it: hardware profile tcam region qos 0 hardware profile tcam region pbr 256 This then requires a reboot.  After this is done and the pbr feature is enabled: feature pbr You can get into creating the route-maps.  However, unlike IOS devices you can only use permits in your acl's and then use a deny statement on the route map itself: ip access-list PBR_DENY statistics per-entry 10 permit ip any 192.168.1.0/24 ip access-list PBR_PERMIT  statistics per-entry  10 permit ip any any route-map PBR_RULE pbr-statistics route-map PBR_RULE deny 10  match ip address PBR_DENY route-map PBR_RULE permit 2
Read more

Adding 2 Factor Authentication to Guacamole through Duo and Yubikey

In order to do this you will need to grab the current duo extension as such: wget  https://gigenet.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-duo-0.9.13-incubating.tar.gz Once downloaded, decompress and move it to the appropriate folder: tar xzf guacamole-auth-duo-0.9.13-incubating.tar.gz && mkdir /etc/guacamole/extensions && mv ./guacamole-auth-duo-0.9.13-incubating/guacamole-auth-duo-0.9.13-incubating.jar /etc/guacamole/extensions/ Now add the Guacamole as an application to your Duo management page.  Select, Protect an Application under the Applications menu, then you will select the Web SDK application, rename it something like Guacamole. Next you will need to edit your /etc/guacamole/guacamole.properties and add the following info to it from the Duo site (minus the last key): duo-api-hostname: <Your API key found on the Duo site> duo-integration-key: <Integration key found on the Duo site> duo-secret-key: <
Read more