01-28-2015 07:59 AM - edited 03-17-2019 01:45 AM
Hi folks, I'm running CUCM 8.6.2.25900-8 on a single cluster (1x pub, 4x sub). My CA certs for the tomcat service are due to expire shortly so I've generated CSRs for all the servers and submitted them to our provider. All but one of the requests went through with no issues but one failed because the CSR specified a country code of 'US'. We are in the UK and the four other servers all generated CSRs specifying C=GB.
Examining the current tomcat cert or issuing "show web-security" on the command-line of the server who's CSR failed also show 'C=GB'
Looking at the 'set web-security' command it appears that I cannot change the country code.
01-28-2015 10:16 AM
Probably someone messed up during install, or changed it at some point.
The documentation says otherwise, set web-security DOES have the ability to change the country
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cli_ref/8_6_1/cli_ref_861.html#pgfId-263672
01-28-2015 01:01 PM
Thanks Jaime, but the documentation is incorrect:
https://tools.cisco.com/bugsearch/bug/CSCue76945/?referring_site=bugqvinvisibleredir
Guess I'll be on the phone to TAC shortly :-(
01-28-2015 01:35 PM
Interesting, thanks for the info, wasn't aware of that bug.
Aside from trying to do something with root access, they might have you reinstall the server.
10.5(2) CLI shows the same syntax, not sure if they really fixed that, or if the error has made it that far.
01-28-2015 01:45 PM
Surprisingly, it has made it all the way to 10.5(x) with the same info and the same error...
I did found a method to change it via root access, and you might not require root access, but I can't tell for sure as I would need to look at exactly what the contents of the file that TAC changes, but apparently it's just the platformConfig.xml that they need to change and reboot.
If that's the case, using the utils import config using pretty much all the same info, except the country, would end up with the same outcome.
Again, not 100% sure but theory says that should do the trick, you can run that thru TAC if you open the case and see what they think about it.
07-21-2016 05:03 AM
Hello Jaime,
Did you ever try on lab the method you describe above (change via root access)?
Thanks,
G
07-21-2016 06:37 AM
No, I did no try the root access method
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide