Firstly i would like to say that i am not very familiar with CUCM and its various inter-dependent components as more or less i am a novice with Cisco Voice setup. The issue is the i need to install certain certificates by logging into UCCX >>> Cisco unified OS administration >>> Security >>>> Certificate management >>> Upload chain / certificate... (These 3 certificates are about to expire in August 2020). I was parsing through Cisco documentation and got even more confused as some docs say the below :
1> The existing certificates that will expire soon should be deleted before installing the new certificate ?
2> The new certificate will overwrite the existing certificate so there is no need to delete the existing one's ?
3> The certificates that will soon expire are "certificate-name - tomcat-trust- type-trustcerts" for both
publisher and subscriber nodes and "certificate-name - tomcat-type-certs" (please see attached word doc), Now i have received the relevant certificates to be uploaded of which one certificate resembles the existing certificate in name format but file type is ".crt" and the other two have different name altogether i.e "DigiCertCA.crt" and "TrustedRoot.crt". Not very sure if there are the correct replacements...
4> Is tomcat service restart or any other service restart required after installing these certificates ?
5> Also do i need install the same certificates on the subscriber node as well ? Because one certificate has the name "chb-uccx-01" which is of the publisher but there is no replacement certificated received with the same "esg-uccx-01" which is the subscriber ? So should i just rename the same certificated if uploading to subscriber ?
6> Is there any sort of downtime required while installing these certificates ?
7> Also i observed that if i login to "CUCM ADMIN" >>>> Cisco unified OS administration >>>>Certificate management >>> Find certificates, then i see there are different set of certificates here like callmanager, callmanager trust, capf, even tomcat-trust etc..... Not sure if the what are these and what are those under uccx ??
Please guide... Thanks in advance.
Adding to what @Mike_Brezicky said,
to make easier to understand,
E.g. Lets take tomcat service as example. My CA has given me 2 certificates - one is his own ROOT CA certificate and another is CA signed tomcat certificate. So, I will require to install on UCCX in tomcat repository. tomcat will have below 2 repositories;
1. tomcat store
2. tomcat-trust store.
ROOT CA is the CA's certificate which was used to sign tomcat certificate so it mandatory to upload ROOT CA certificate to trust store.
Correct procedure to upload is;
1. Upload ROOT CA certificate in tomcat-trust store.
2. Upload CA signed tomcat certificate in tomcat store.
3. Restart tomcat service. (Recommend is to restart UCCX server).
Plan it before you upload,
1. first list which certificates are getting expired.
2. verify if you have received all those certificates signed from CA.
3. Double click on certificate and verify the expiry. Post upload you can verify.
3. Basis certification Authority (CA) institutions, few CA will also give you INTERMEDIATE CA certificates. So, intermediate certificates are also used to sign your tomcat certificate. so you need to upload chain of certificates.
INTERMEDIATE certificate in tomcat-trust store
ROOT CA certificate in tomcat-trust store
TOMCAT certificate in tomcat store.
you will have to follow the guidelines shared by Mike in his post. Although if system is in production, you can reach to Cisco TAC for support to avoid any downtime. In correct certificate upload may cause the Finesse agent desktop URL inaccessible.
Another suggestion is to plan activity in maintenance window for safety with TAC for assistance.
Please rate helpful posts.