cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Updating Tomcat Certificates on CUCM 9.1

2137
Views
5
Helpful
2
Comments
Rising star

We recently updated our certificates on CUCM 9.1.  I ended up having to install new certificates twice.  Both times, I updated the certificates without any downtime.  I would add that we are using non-secure profiles for our phones.

I ran into a problem that I think other people might be having so I thought I would share the solution.

 

After installing the certificates and restarting the Cisco Tomcat service, we had too:

  • Restart the RIS service on the Call Manager
  • Repair the database replication on all CUCMs

The process of installing certificates is fairly simple:

  1. Login to CUCM OS Administration
  2. Click on Security, Certificate Management
  3. Click on Generate CSR
  4. Tomcat should be selected by default, click on generate
  5. Next, download the CSR.
  6. Submit the CSR to a Certificate Authority and get your certificate
  7. In CUCM OS Administration, certificate management, click on upload certificate
  8. First upload the Root or Intermediate CA certificate as a tomcat-trust certificate
  9. Then upload the certificate for the CUCM.
  10. From the CUCM CLI, restart the Cisco Tomcat services (utils service restart Cisco Tomcat)

Keep in mind that in my installation, I am using non-secure profiles and I did not research how this would affect secure profile installations (CAPF and Device Security Profile on phones).

 

Thanks,

Alex LP

2 Comments
Beginner

HI Alex,

 

I followed above steps but I am still getting an error "CA certificate is not available in the trust-store."

Can you please help

 

Thank you

Beginner

Thanks for sharing the info. It has been very useful for me to resolve a problem I had after uploading non-self-signed Tomcat certificates to our CUCM 12.5 cluster. Until I restarted the RIS service the Publisher didn't get information about the status of the phones registered on the subscriber. It's amazing that Cisco still doesn't tell us to restart the RIS service in the same place they tell us to restart the Tomcat when uploading new certificates...

 

Thank you

Content for Community-Ad
This widget could not be displayed.