Configure Multiple Addresses in SAN Certificate in CVOS Systems

Introduction

This document describes how to set up a Cisco Voice Operating System (VOS) system to have multiple addresses in Subject Alternative Name (SAN) certificate field when the Cisco VOS environment does not have a Publisher – Subscriber architecture model for example Virtual Voice Browser (VVB).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• CA-signed certificates
• Self-Signed certificates
• Cisco VOS CLI

Components Used

• VVB
• Cisco VOS System Administration - Certificate Management
• Cisco VOS CLI

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

The configuration is carried through the Cisco VOS command line interface. This helps the organisation to use and browse the webpages either with the hostname or Fully Qualified Domain Name (FQDN) through the secure communication channel. Thereby, the browser does not report an untrusted HTTP connection.

Configure

Before you attempt this configuration, ensure these services are up and functional;

• Cisco Tomcat service
• Cisco Certificate Change Notification
• Cisco Certificate Expiry Monitor
  
  

Configurations

Step 1. Login to VVB OS CLI with credentials.

Step 2. You need to first set the Certificate information prior to the generation of CSR.

• Execute the  set web-security  command on the VVB CLI interface.

set web-security <orgunit> <orgname> <locality> <state> [country] [alternatehostname1,alternatehostname2] 

For example,  set web-security tac cisco bangalore karnataka IN vvbpri,vvbpri.raducce.com  as shown in this image.

Set web-security command

Next, it prompts you to answer with Yes/No as demonstrated in this image.

set web-security command execution

• Enter  Yes
• Restart the Cisco Tomcat service on the Cisco VOS node.

utils service restart Cisco Tomcat

Step 3. Generate Tomcat certificate signing request (CSR) via CLI. The command  set csr gen tomcat  generates a Tomcat certificate from the VOS CLI interface. 

Step 4. Check on the VVB OS ADMIN Certificate management page, a Tomcat CSR certificate is generated. Click on the  Download CSR  option as shown in this image.

Tomcat CSR certificate

Step 5. Provide the CSR certificates to the CA team and get the certificate signed by CA.

Step 6. In this image, the certificate that is signed by CA where-in the SAN shows the multiple addresses that are configured from the previously mentioned commands.

Tomcat CA signed certificate

Verify

Use this section in order to confirm that your configuration works properly.

1. Log in to the VOS Portal URL  page, click  LOCK  icon, and verify the defined addresses in the SAN certificate field.
2. Try to use the addresses defined in the SAN field and verify the secure HTTP communication.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Collect these certificate management logs from CLI access and open the case with Cisco TAC: file get activelog platform/log/cert*