CUCM 10.5.1: CSR SAN and Certificate SAN Mismatch

I’ve been lucky to hit another bug today. Brand-new deployment of CUCM/CUC/CUPS version 10.5.1 and I’m unable to upload a freshly-generated SAN certificate from Starfield. I would get the following error: “CSR SAN and Certificate SAN does not match”.

CSR/Certificate SAN Mismatch

Originally, I thought the issue is a result of the CA inserting a www-prefixed name as one of the SANs in the cert (e.g. www.common_name.domain.com). So I have manually added the www-prefixed name in the CSR and re-keyed the cert. No luck. After multiple retries, I gave up and opened a TAC case. I’m glad I did, because apparently I hit another bug. The reason why CUCM can’t match the certificates’ SANs against CSR is because the hostnames are all in UPPER case, while the cert is issued for hostnames names in lower case.

The bug affects systems running version 10.5.1.10000-7 and is fixed in newer releases of CUCM, but I was given a link to download an ES (Engineering Special) version that is almost guaranteed to work.

Hope this helps someone who has been beating his/her head against the wall trying to figure this one out.

 

 

2 thoughts to “CUCM 10.5.1: CSR SAN and Certificate SAN Mismatch”

  1. Alex,

    Introducing 10.5.2 into the DOD environment and am getting the “CSR SAN and Certificate San does not match” error. Did you get this function to work and what steps did you make to reach a solution?

    1. Hi Thomas,

      Can you verify if the hostnames for your environment are in upper or lower case? You may change the hostname via CLI using “set network hostname” command as per instructions in CSCur46416.

      Confirm that the SANs in the CSR matches the SANs in the certificate by comparing the two (you can decode your CSR here: https://www.sslshopper.com/csr-decoder.html and the cert here: https://www.sslshopper.com/certificate-decoder.html).

      Let me know how it goes.

Leave a Reply to Thomas Wright Cancel reply

Your email address will not be published. Required fields are marked *