Cisco Jabber was presenting a certificate error, without
option to accept the certificate.
Certificate in question was self-signed.
I compared this to a working machine’s certificates.
In command prompt on affected machine, while logged in as
the troubled user, typed mmc, then went to File -> Add/Remove Snap-ins ->
selected Certificates to add to snap in list and opted to view for “My User
Account”.
No certificates for the required servers for Jabber were
found under Enterprise Trusts nor the Trusted Root Certification Authorities.
Based on various threads and Cisco documentation, attempted
solutions were:
1)exported registry key from a working machine at:
HKCU\Software\Microsoft\SystemCertificates\trust\Certificates
And imported into the problem machine’s registry. This added the certificates to the Enterprise
Trust certs, but did not resolve the issue.
2)disable FIPS in registry by setting “Enabled” value to 0
at:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Confirmed in local policy editor (gpedit.msc in command
prompt) under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options that “System cryptography: Use FIPS compliant
algorithms for encryption, hashing and signing” was set to DISABLED.
This still did not resolve.
3)Supposedly if you use Cisco AnyConnect for VPN, if the
.xml file has FIPS set to TRUE, it will override the Windows setting, so that
must be set to false. On Windows 7, went
to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility
Client\AnyConnectLocalPolicy.xml, edited “FipsMode” to false and saved the
document. Still did not resolve.
RESOLUTION:
This can be done by downloading the certs from the appropriate
Cisco administration console, but I just exported the certs from a working
machine.
In the Certificate Store on a working machine, I right
clicked the cert, went to All Tasks, and selected “Export…”
Exported as DER, gave it a file name and save location, and
finished the wizard. Then, copied the
exported cert to the problem machine under C:\temp. On the problem machine, in command prompt, cd’d
to C:\temp, then typed the following command for each certificate required, tabbing out the various cert
names in place of CERTNAME for ease:
certutil –addstore –user –f Root “.\CERTNAME.cer”
This command must be done as the logged in end user so that
it is store in the “current user” trusted root certificates. There might be a way around needing to be logged in as the end user but I didn’t
bother looking any further.
SOURCES:
"Jabber Invalid Certificate" -
"Jabber Invalid Certificate" -
"How To: View Certificates with the MMC Snap-In" -
https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx
"Certificate Error - No accept button" -
https://supportforums.cisco.com/discussion/12625596/certificate-error-no-accept-button
"Cisco Jabber for Windows Certificate Error" -
"Cisco Jabber for Windows Certificate Error" -
"Jabber Complete How-To Guide for Certificate Validation" -
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html
"Issue with Cisco Jabber certs in Enterprise Trust store and GPO" -
https://social.technet.microsoft.com/Forums/windows/en-US/9e11b165-3250-4eb0-a0ff-4149eccbf979/issue-with-cisco-jabber-certs-in-enterprise-trust-store-and-gpo?forum=winserversecurity
"importing a root CA certificate using certutil?" -
"importing a root CA certificate using certutil?" -
No comments:
Post a Comment
Give my post a +1 or let me know if you found any of my blog content helpful!