Showing results for 
Search instead for 
Did you mean: 

Ask Me Anything - October 2020


UCCX License install query

Hi All,


Firstly i would like to say that i am not very familiar with CUCM and its various inter-dependent components as more or less i am a novice with Cisco Voice setup. The issue is the i need to install certain certificates by logging into UCCX >>> Cisco unified OS administration >>> Security >>>> Certificate management >>> Upload chain / certificate... (These 3 certificates are about to expire in August 2020). I was parsing through Cisco documentation and got even more confused as some docs say the below :


1> The existing certificates that will expire soon should be deleted before installing the new certificate ?


2> The new certificate will overwrite the existing certificate so there is no need to delete the existing one's ?


3> The certificates that will soon expire are "certificate-name - tomcat-trust- type-trustcerts" for both 

     publisher and subscriber nodes and "certificate-name - tomcat-type-certs" (please see attached word      doc), Now i have received the relevant certificates to be uploaded of which one certificate resembles the existing certificate in name format but file type is ".crt" and the other two have different name altogether i.e "DigiCertCA.crt" and "TrustedRoot.crt". Not very sure if there are the correct replacements... 


4> Is tomcat service restart or any other service restart required after installing these certificates ? 


5> Also do i need install the same certificates on the subscriber node as well ? Because one certificate has the name "chb-uccx-01" which is of the publisher but there is no replacement certificated received with the same "esg-uccx-01"  which is the subscriber ? So should i just rename the same certificated if uploading to subscriber ? 


6> Is there any sort of downtime required while installing these certificates ?


7> Also i observed that if i login to "CUCM ADMIN" >>>> Cisco unified OS administration >>>>Certificate management >>> Find certificates, then i see there are different set of certificates here like callmanager, callmanager trust, capf, even tomcat-trust etc..... Not sure if the what are these and what are those under uccx ??


Please guide... Thanks in advance.

VIP Collaborator

Hello, if you are unfamiliar with Cisco UC and how it utilizes certificates, I would HIGHLY recommend you review the security documentation before you attempt anything. UCCX has a different / subset of certs than that of CUCM.

For the UCCX - Tomcat certificate. Is the certificate with the type "tomcat" the one to expire and if so, is it a self signed or a CA signed. If it is self signed, you can regenerate it during any maintenance window. If CA signed, you must generate a CSR from the UCCX OS Admin to be used for generating the cert.
Once the new cert is generated, you can first upload the Root, Intermediate etc. chain from the CA as "tomcat-trust". Once that is done, you can then upload the new "tomcat" cert which will replace the old.
Finally, you can then remove the old CA root, Intermediate, etc. cert chain if applicable.

Once all certs are updated, you must restart the relevant services - in this case Cisco Tomcat.


Adding to what @Mike_Brezicky said,

to make easier to understand,

E.g. Lets take tomcat service as example. My CA has given me 2 certificates - one is his own ROOT CA certificate and another is CA signed tomcat certificate. So, I will require to install on UCCX in tomcat repository. tomcat will have below 2 repositories;

1. tomcat store

2. tomcat-trust store.


ROOT CA is the CA's certificate which was used to sign tomcat certificate so it mandatory to upload ROOT CA certificate to trust store.


Correct procedure to upload is;

1. Upload ROOT CA certificate in tomcat-trust store.

2. Upload CA signed tomcat certificate in tomcat store.

3. Restart tomcat service. (Recommend is to restart UCCX server). 


Plan it before you upload,

1. first list which certificates are getting expired.

2. verify if you have received all those certificates signed from CA.

3. Double click on certificate and verify the expiry. Post upload you can verify.

3. Basis certification Authority (CA) institutions, few CA will also give you INTERMEDIATE CA certificates. So, intermediate certificates are also used to sign your tomcat certificate. so you need to upload chain of certificates.

INTERMEDIATE certificate in tomcat-trust store

ROOT CA certificate in tomcat-trust store

TOMCAT certificate in tomcat store.


you will have to follow the guidelines shared by Mike in his post. Although if system is in production, you can reach to Cisco TAC for support to avoid any downtime. In correct certificate upload may cause the Finesse agent desktop URL inaccessible.


Another suggestion is to plan activity in maintenance window for safety with TAC for assistance.



Ritesh Desai

Please rate helpful posts.

*** Please rate helpful post. Please mark as answer if it solves your problem/query.
regards, Ritesh Desai
Content for Community-Ad