CUCM certificate requests with an IP as the Subject Alternative Name (SAN)

If you have ever created a Certificate Signing Request using CUCM, you may have noticed a lack of setting an IP as a SAN.  A simple solution to this if you are dealing with a Microsoft Certificate Server is to fill out the additional attributes text field. However, by default prior to doing this you will need to open up an Administrator command prompt and issue the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Now restart your certificate services under the AD CA management pane.

Finally, you simply need to add the following:

san:dns=<hostname>&dns=<fqdn>&ipaddress=<ip address>

Although this may seem like a trivial thing, you will cause errors in most modern browsers due to not having a correct SAN in the certificate. This allows you to override even improperly generated requests lacking a SAN.  But by default Microsoft Server CA doesn't even generate Certificates with a SAN from the CUCM CSR's.  As always, remember that you need your CA to be in the computer's certificate store for trust to be established.

Lastly, make sure you restart your Tomcat service via the CLI by entering:

utils service restart Cisco Tomcat

Comments

Popular posts from this blog

Policy Based Routing on a Nexus

Well... chatGPT, collab, automation, monolithic code and bad APIs