Showing results for 
Search instead for 
Did you mean: 

Jabber error An invalid Certificate {cucm-pub} when connecting to IM&P


So we had our call manager pub die due to hardware failure.  Long story short rebuilt from a backup and that's all fixed BUT a bunch of our remote office people can't connect via Jabber for calling any more.  they are getting This error:

An invalid Certificate {cucm-pub} when connecting to {im&P-Pub} has been rejected.  Cert Fingerprint: e3 e4 ....

Now looking at things the Cert for tomcat is current and correct on the cucm side, same also for IM&P side (Both issued from Godaddy), I can't find the fingerprint listed.  This is one of several issues I'm chasing (only this one is phones) so sort of skater brained trying to track this down and looking for somebody to point clearly for me as both sides have Valid godaddy issued certs.

I'm assuming I need to manually export a specific cert from box A and import into Box B possibly as yyy and it will suddenly become happy and this issue goes away but I'm lost trying to locate it.

Can somebody identify the exact cert from what box I need to grab and then import into what other box?  I'm not sure if I should be going Cucm to IM&P or IM&P to Cucm and if it's the tomcat one or the tomcat-trust, etc...

Our certs are GoDaddy and not self-signed so we know what side of that mess I'm on.

Thank you in advance.

2 Replies 2

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

There is no way to import/apply a new certificate into CUCM or IM&P without you creating a CSR and having it signed, the private key never leaves the box, so you can only import the signed certificate to match the private that was generated along with the CSR.

You can only import certificates to the -trust stores, but that's not the one Jabber is going to use.

The Jabber documentation explains what certificates are used by each server during Jabber login, that will give you an idea of what certificates are involved and start looking at them one by one, and once you find which one is the trouble one, you'll need to go over the CSR signing process again.

Most likely your backup was from before you applied the new certificates and uses an older certificate which was restored.



if this helps, please rate

VIP Advisor VIP Advisor
VIP Advisor

Jabber will look for these certs:
CUCM tomcat (and callmanager if using encryption)
IMP tomcat and cup-xmpp
CUC tomcat

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers