Jaime,

I'm not changing the hostname, I'll be updating/replacing the IP address to FQDN under System-Server in CUCM for both CUCM and IMP servers. I have seen those warnings  when I have changed the hostname's from CLI but this I'll be doing from GUI interface in "System-Server" do I get the same warnings and network services will be restarted automatically when I do this from GUI as well.

Just to update since there was no change in IP or hostname all we have to do is update all servers FQDN from CUCM GUI and within minutes replication was fine and no need to restart any services or servers. Though it was not necessary on IMP servers as a precaution I stopped some services before I replaced that with FQDN.

Thanks.

Do desk phones now list CM servers and TFTP servers as FQDN or IP address? Have restarted any phones or installed new phones since the change? I had a ticket open for the same issue, what would be the impact of the change.

Yes, all shows the full name of the servers.

If everything configured in DNS servers, UC servers correct and also all IP's to FQDN everywhere in the config we should be good, in fact better after this change.

Though it is not required I did restart all the servers just to make sure all the replication is good and no surprises later.

I'm about to do the same changes, but only for the CUCM servers as my IM&P servers are already defined in System >Server as their FQDNs.

Thanks for sharing your experience in doing this change. So to summarize what you did for the CUCM servers only (so I will end up having the same success as yours :-)), you just changed the CUCM servers' definition under System >Server from IP address to FQDN one at a time. You did not restart any CUCM service(s) nor restart any of the CUCM servers. Am I getting it all right?

What I plan on doing it to do the IP to FQDN change per server and when done, restart the CUCM servers one at a time. I will also restart the IM&P server to make sure that all systems are in sync with the change.

Yes, that procedure is correct, just to be safe read that doc I refered about the IP address to hostname change for your version of CUCM and not missing anything. Please also make sure DNS is configured for the phones DHCP pool as well otherwise phones won't register to CUCM after reboot..! Good Luck

Update... I did just this -- change the CUCM servers from IP address to FQDN, restart the CUCM servers in the cluster one at a time AND restarted the IM&P servers on the subcluster one at a time, BUT still I'm getting the certificate prompts (for the CUCM servers) when logging in to Jabber ... How could this be?...

Please make sure that you should make other necessary changes on cucm. For ex , jabber will also read cucm entry from service profile ( Cti mgr profile ) , ccmcip profile etc. Define cucm as fqdn on service profile as well.

Hi Varundeep,

Thanks for the inputs, but I already have the FQDN of the CUCM servers set on the CTI UC Service for my Service Profile and still I'm getting certificate prompts when logging in to Jabber.

hello larry ,

follow this document/link

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

in case you still face the issue , try checking if you have cucm defined as FQDN in jabber-config xml file for any parameter. also what is the verison of your cucm

Hi Jamie, thanks for the feedback. Please correct me if I'm wrong, but my understanding is that if the certificates were signed by an internal CA, say Microsoft, that is trusted by all the machines in your domain then there's no need for the certificates to be stored on the machines' Enterprise Trust store. My environment is like that, wherein the certificates were signed by our internal CA (Microsoft), that is trusted by all the machines in our domain because the CA is part of the machines' Trusted Root CA.

Hi Varundeep, thanks for providing that link. I have come across that one just before I implemented the change. My environment is following Method 3 by the way, which is Cisco's recommended way. The certificates were signed by our internal CA, as I've mentioned above, that is trusted by all of the machines in my domain.

hello,

incase you have INTERNAL ROOT CA signing your server certificates , i would request if you manually deploy ROOT CA in trust store for 1 PC and then check. i know if ROOT CA is microsoft then you don't need to add it in trust store but lets try and check if this resolves your issue or not.

One more thing just for your info as this may be related to your case.

If you have deployed certificate chain i.e. ROOT CA has signed Intermediate CA and further this Intermediate CA has signed your server certificates , make sure that Intermediate CA should be in your trust store as well.

Another thing to notice , please check for what name your servers have been signed i.e. are they signed for hostname or FQDN or IP Address. This is also important because if your CA or Intermediate CA has signed certificates for hostname but your servers are  defined in FQDN then also you will receive the cert pop up.

i hope this helps.

Hi Varundeep,

Are you suggesting that I redeploy the root CA to one machine despite it already existing on its trust store?

Yes, the certs were signed my an intermediate CA AND both the root CA and the intermediate CA are on all PCs trust store.

The SANs on the certificates are (1) the hostname of the servers, (2) the FQDN of the servers and (3) the IP address of the servers.

Thanks.