Solved: Cisco CallManager 11.5 Certificate Management question

marco_81 · ‎04-05-2017

Hi all,

i'm going to sign Cisco CallManager tomcat CSR with openssl Linux. Is it possible to sign with third party CA Linux based?

I have set up the CA and i signed the tomcat csr, therefore i uploaded the root CA to Cisco CallManager trust store, all it's fine up to now. Then i try to upload tomcat.pem (the signed tomcat csr) , but i see the error java.security.cert.CertPathBuilderException: Could not build a validated path.

How can i troubleshoot this Error?

regards

Rajan · ‎04-06-2017

Hi Marco,

In the logs, I could see a difference in the Organisation field of the certs. (O=Hitachi & O=Hitachi_CA)

2017-04-06 11:38:36,069 DEBUG [main] - CertUtil: Enter parseCNfromDN: 1.2.840.113549.1.9.1=#160e61646d696e406d61696c2e636f6d,CN=Hitachi_CA,OU=CBT,O=Hitachi,L=Roma,ST=Italia,C=IT

2017-04-06 11:38:36,085 INFO [main] - Trust anchor certificate is ::1.2.840.113549.1.9.1=#160e61646d696e406d61696c2e636f6d,CN=Hitachi_CA,OU=CBT,O=Hitachi_CA,L=Roma,ST=Italia,C=IT

Then we see this error:

2017-04-06 11:38:36,085 INFO [main] - IN -- RSACryptoEngine.java - verifyChain(leafCertificate, certList, trustAnchor) -
2017-04-06 11:38:36,118 ERROR [main] - Could not build a validated path.

Not sure whether this is causing the issue but would say its worth cross checking this.

HTH

Rajan

Pls rate all useful posts

View solution in original post

Rajan · ‎04-05-2017

Hi Marco,

do you also have an intermediate certificate for this CA or only a direct root certificate ?

Thanks

Rajan

marco_81 · ‎04-05-2017

Only direct root certificate, i'm in a test lab environment. There is no way to see what happen at log level from cli o rtmt?

marco_81 · ‎04-05-2017

i uploaded the root CA as tomcat-trust, with no trouble, i can see that in the trust store (column Type=self signed). Then i try to upload the signed CSR as tomcat with the issue reported.

Rajan · ‎04-05-2017

Hi Marco,

Try getting the below logs from RTMT to check whether we could see anything.

Thanks

Rajan

marco_81 · ‎04-06-2017

Hi Rajan,

i collected logs, attached. They don't help me troubleshooting. Can you see anything that can help?

regards

Rajan · ‎04-06-2017

Hi Marco,

In the logs, I could see a difference in the Organisation field of the certs. (O=Hitachi & O=Hitachi_CA)

2017-04-06 11:38:36,069 DEBUG [main] - CertUtil: Enter parseCNfromDN: 1.2.840.113549.1.9.1=#160e61646d696e406d61696c2e636f6d,CN=Hitachi_CA,OU=CBT,O=Hitachi,L=Roma,ST=Italia,C=IT

2017-04-06 11:38:36,085 INFO [main] - Trust anchor certificate is ::1.2.840.113549.1.9.1=#160e61646d696e406d61696c2e636f6d,CN=Hitachi_CA,OU=CBT,O=Hitachi_CA,L=Roma,ST=Italia,C=IT

Then we see this error:

2017-04-06 11:38:36,085 INFO [main] - IN -- RSACryptoEngine.java - verifyChain(leafCertificate, certList, trustAnchor) -
2017-04-06 11:38:36,118 ERROR [main] - Could not build a validated path.

Not sure whether this is causing the issue but would say its worth cross checking this.

HTH

Rajan

Pls rate all useful posts

marco_81 · ‎04-06-2017

Hi Rajan,

finally i was able to load tomcat.pem as server certificate on Call Manager trust store, this is what i did:

- i deleted old root CAs previously loaded (maybe they were the issue)

- i uploaded the root CA again , than Cisco Tomcat restart from cli

- then tomcat.pem uploaded and without issue :)

thanks for your help

Rajan · ‎04-06-2017

Glad it worked. Pls mark this thread as answered so that it will help others checking this.

Thanks

Rajan

marco_81 · ‎04-06-2017

Hi Rajan,

i'm going to check this.

Also verifying certificate chain in openssl with command:

openssl verify -CAfile "rootCA" "tomcat.pem"

returns output "certs/tomcat.pem: OK"