Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
20
Helpful
3
Replies

CUCM Certificate

kaso_baxtiar
Level 1
Level 1

‎01-12-2023 02:05 AM

Dears,

I was looking in my cucm Certificates and I found that the tomcat.pem certificate is expired

Validity From: Tue Apr 18 15:19:19 AST 2017
To: Sun Apr 17 15:19:18 AST 2022

and according to the documentation the

Service Impact by the Certificate Store

Tomcat.pem

  • Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
  • CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
  • Extension Mobility or Extension Mobility Cross Cluster issues.
  • If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

the above problem should occur if the certificate does expire but the as I noticed the phones working perfectly and corporate directory work as should.

explanation about this?

 

 

 

0 Helpful
3 Replies 3

b.winter
VIP
VIP

‎01-12-2023 03:23 AM

Probably because the phones use http and not https.
You wrote it yourself: Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory

VIVIEN MAHONEY
Level 4
Level 4

‎01-12-2023 04:56 PM

A few additional things that can go wrong with expired certificates. These may not apply to your setup, as it's taken so long to detect the issue.

- Your browser will complain at you every time you connect to the admin screen.
- Jabber and Webex phone users will get certificate error messages.
- Expressway integration for MRA can break 
- LDAP integration may break if you use encrypted port

If you are using encryption anywhere in your telephony environment, you should go ahead and replace the certs - as a best practice before they expire, but as they are already expired you should still replace them now that you've discovered it.  

 

Roger Kallberg
VIP
VIP

‎01-12-2023 10:12 PM

You should always make sure that your certificates are valid. Please follow this document for how to renew them. Cisco UC Certificates Renewal Guide 

Also setup the certificate monitor in your system so that you’ll get notifications on soon to expire certificate(s).



Response Signature


Customers Also Viewed These Support Documents