Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)

Tuesday, January 24, 2017

Cisco Jabber 11.5 Certificate Error

Cisco Jabber was presenting a certificate error, without option to accept the certificate. 


Certificate in question was self-signed.

I compared this to a working machine’s certificates.

In command prompt on affected machine, while logged in as the troubled user, typed mmc, then went to File -> Add/Remove Snap-ins -> selected Certificates to add to snap in list and opted to view for “My User Account”.
No certificates for the required servers for Jabber were found under Enterprise Trusts nor the Trusted Root Certification Authorities.

Based on various threads and Cisco documentation, attempted solutions were:
1)exported registry key from a working machine at:
HKCU\Software\Microsoft\SystemCertificates\trust\Certificates
And imported into the problem machine’s registry.  This added the certificates to the Enterprise Trust certs, but did not resolve the issue.

2)disable FIPS in registry by setting “Enabled” value to 0 at:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Confirmed in local policy editor (gpedit.msc in command prompt) under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options that “System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing” was set to DISABLED.
This still did not resolve.

3)Supposedly if you use Cisco AnyConnect for VPN, if the .xml file has FIPS set to TRUE, it will override the Windows setting, so that must be set to false.  On Windows 7, went to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml, edited “FipsMode” to false and saved the document.  Still did not resolve.

RESOLUTION:

This can be done by downloading the certs from the appropriate Cisco administration console, but I just exported the certs from a working machine.
In the Certificate Store on a working machine, I right clicked the cert, went to All Tasks, and selected “Export…”
Exported as DER, gave it a file name and save location, and finished the wizard.  Then, copied the exported cert to the problem machine under C:\temp.  On the problem machine, in command prompt, cd’d to C:\temp, then typed the following command for each certificate required, tabbing out the various cert names in place of CERTNAME for ease:

certutil –addstore –user –f Root “.\CERTNAME.cer”


This command must be done as the logged in end user so that it is store in the “current user” trusted root certificates.  There might be a way around needing to be logged in as the end user but I didn’t bother looking any further.


SOURCES:

"Jabber Invalid Certificate" - 

"How To: View Certificates with the MMC Snap-In" -
https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx

"Certificate Error - No accept button" - 

"Jabber Complete How-To Guide for Certificate Validation" -
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

"Issue with Cisco Jabber certs in Enterprise Trust store and GPO" -