How do I not have Users Prompted to accept Certificates?

I am in the process of deploying the Cisco Jabber client to my company.  When a user launches Cisco Jabber the first time time, they are prompted with the "Verify Certificate - Certificate not valid" screen three times and need to click on the Accept button to continue and get to the Jabber client.  This occurs for the first time the Jabber client is launched on our corporate LAN and then when it is launched for the first time outside of the LAN.

What is best practice or recommended so my users are not prompted with the Verify Certificate screen?

Any assistance would be very helpful!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I am referencing this article here.

What type of CA (certificate authority) are you using?  Public or Private?

Methods of certification validation:

Method 1: Users simply click Accept to all certificate popups. This might be the most ideal solution for smaller environments. If you click Accept, certificates are placed into the Enterprise Trust store on the device. After certificates are placed in the Enterprise Trust store, users are no longer prompted when they log into the Jabber Client on that local device.

Method 2: The required certificates are downloaded from the individual servers (by default, these are self-signed certificates) and installed into the Enterprise Trust store of the user device. This might be the ideal solution if your environment does not have access to a Private or Public CA for certificate signing.

Method 3: A Public or Private CA signs all of the required certificates. This is the Cisco recommended method. This method requires that a Certificate Signing Request (CSR) is generated for each of the certificates, is signed, re-uploaded to the server, and then imported to the Trusted Root Certificate Authorities Store on user devices. See the Generate a CSR and the How do I get certificates to user devices certificate stores? sections of this document for more information.

Note: In the case of a Public CA, the root certificate should already be in the client trust store.

Verify if a Certificate is Self-Signed or CA-Signed

Note: This example is for CUCM Version 8.x. The process might vary between servers.

    Navigate to Cisco Unified OS Administration.
    Choose Security > Certificate Management.
    Find and click the Tomcat-Trust Certificate .pem file.
    Click Download, and Save.
    Navigate to the file, and rename it with the .cer extension.
    Open and view this file (MS Windows users).
    Verify the Issued by field. If it matches the Issued to field, then the certificate is Self-Signed (see the Example).

Generate a CSR

Note: This example is for CUCM Version 8.x. The process might vary between servers.

    Navigate to Cisco Unified OS Administration.
    Choose Security > Certificate Management.
    Click Generate CSR, and choose Tomcat from the drop-down list.
    Click Generate CSR, and click Close.
    Click Download CSR, and choose Tomcat from the drop-down list.
    Click Download CSR, and save the file.
    Send the .csr file to be signed by your Private CA Server or a Public CA.

    Note: Once you have this CSR file, the process varies based on your environment.
    Click Upload Certificate/Certificate Chain under Security > Certificate Management In order to re-upload the new signed certificates that were issued to your server.

How do I import certificates into user device certificate stores?

Every server certificate should have an associated root certificate present in the trust store on the user device. Cisco Jabber validates the certificates that servers present against the root certificates in the trust store.

Import root certificates into the MS Windows certificate store if:

    The certificates are signed by a CA that does not already exist in the trust store, such as a private CA. If so, you must import the private CA certificate to the Trusted Root Certification Authorities store.

    The certificates are self-signed. If so, you must import self-signed certificates to the Enterprise Trust store.

You can use any appropriate method in order to import certificates into the MS Windows certificate store, such as:

    Use the Certificate Import Wizard in order to import certificates individually.

    Deploy certificates to users with the CertMgr.exe command line tool on MS Windows Server. (This option requires you to use the Certificate Manager tool, CertMgr.exe, not the Certificates MS Management Console, CertMgr.msc.)

    Deploy certificates to users with a Group Policy Object (GPO) on MS Windows Server.

Note: For detailed instructions on how to import certificates, refer to the appropriate MS documentation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.