Buy or Renew
Buy or Renew
WebexOne 2023 | October 24-26 in Anaheim, CA Technical training and labs. Save 50% with code: WX1TRAIN50
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
2
Replies

Jabber error An invalid Certificate {cucm-pub} when connecting to IM&P

fred.skrotzki
Beginner
Beginner

‎01-12-2023 11:42 AM

So we had our call manager pub die due to hardware failure.  Long story short rebuilt from a backup and that's all fixed BUT a bunch of our remote office people can't connect via Jabber for calling any more.  they are getting This error:

An invalid Certificate {cucm-pub} when connecting to {im&P-Pub} has been rejected.  Cert Fingerprint: e3 e4 ....

Now looking at things the Cert for tomcat is current and correct on the cucm side, same also for IM&P side (Both issued from Godaddy), I can't find the fingerprint listed.  This is one of several issues I'm chasing (only this one is phones) so sort of skater brained trying to track this down and looking for somebody to point clearly for me as both sides have Valid godaddy issued certs.

I'm assuming I need to manually export a specific cert from box A and import into Box B possibly as yyy and it will suddenly become happy and this issue goes away but I'm lost trying to locate it.

Can somebody identify the exact cert from what box I need to grab and then import into what other box?  I'm not sure if I should be going Cucm to IM&P or IM&P to Cucm and if it's the tomcat one or the tomcat-trust, etc...

Our certs are GoDaddy and not self-signed so we know what side of that mess I'm on.

Thank you in advance.

Labels:
0 Helpful
2 Replies 2

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

‎01-12-2023 02:19 PM

There is no way to import/apply a new certificate into CUCM or IM&P without you creating a CSR and having it signed, the private key never leaves the box, so you can only import the signed certificate to match the private that was generated along with the CSR.

You can only import certificates to the -trust stores, but that's not the one Jabber is going to use.

The Jabber documentation explains what certificates are used by each server during Jabber login, that will give you an idea of what certificates are involved and start looking at them one by one, and once you find which one is the trouble one, you'll need to go over the CSR signing process again.

Most likely your backup was from before you applied the new certificates and uses an older certificate which was restored.

HTH

java

if this helps, please rate
0 Helpful

b.winter
VIP Advisor VIP Advisor
VIP Advisor

‎01-12-2023 11:16 PM

Jabber will look for these certs:
CUCM tomcat (and callmanager if using encryption)
IMP tomcat and cup-xmpp
CUC tomcat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents