Re: CUCM Certificate

kaso_baxtiar · ‎01-12-2023

Dears,

I was looking in my cucm Certificates and I found that the tomcat.pem certificate is expired

Validity From: Tue Apr 18 15:19:19 AST 2017
To: Sun Apr 17 15:19:18 AST 2022

and according to the documentation the

Service Impact by the Certificate Store

Tomcat.pem

Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory.
CUCM's web GUI issues, such as unable to access service pages from other nodes in the cluster.
Extension Mobility or Extension Mobility Cross Cluster issues.
If UCCX (Unified Contact Center Express) is integrated, due to security change from CCX 12.5 it is required to have upload CUCM Tomcat certificate (self-signed) or the Tomcat root & intermediate certificate (for CA signed) in UCCX tomcat-trust store since it effect Finesse desktop logins

the above problem should occur if the certificate does expire but the as I noticed the phones working perfectly and corporate directory work as should.

explanation about this?

b.winter · ‎01-12-2023

Probably because the phones use http and not https.
You wrote it yourself: Phones are not able to access HTTPs services hosted on the CUCM node, such as Corporate Directory

VIVIEN MAHONEY · ‎01-12-2023

A few additional things that can go wrong with expired certificates. These may not apply to your setup, as it's taken so long to detect the issue.

- Your browser will complain at you every time you connect to the admin screen.
- Jabber and Webex phone users will get certificate error messages.
- Expressway integration for MRA can break
- LDAP integration may break if you use encrypted port

If you are using encryption anywhere in your telephony environment, you should go ahead and replace the certs - as a best practice before they expire, but as they are already expired you should still replace them now that you've discovered it.

Roger Kallberg · ‎01-12-2023

You should always make sure that your certificates are valid. Please follow this document for how to renew them. Cisco UC Certificates Renewal Guide

Also setup the certificate monitor in your system so that you’ll get notifications on soon to expire certificate(s).

ciscovnetengineer · ‎09-09-2024

hi Roger,

does renew UCM tomcat certificate also need to renew UCCX tomcat and Finesse?

Rgds,

C

Roger Kallberg · ‎09-09-2024

No they have no correlation between each other.

ciscovnetengineer · ‎09-09-2024

Thanks,

Does UCCX side need to update Root CA and Intermediate CA ?

Here it said need to update : tomcat on UCCX?

Regeneration Of Certificates For CUCM Call Manager Tomcat Certificate – Get Essential Resources for Effective Document Management and Professional Use (wordpress.com)

Rgds,

C

Roger Kallberg · ‎09-09-2024

It says that the CM Tomcat certificate and CA certificates, root and intermediate if applicable, needs to be uploaded into CCX when they are renewed. For the CA certificate(s) it’s only applicable if they have also been renewed since last time they where used to sign the Tomcat certificate or if this is the first time they are used to sign the Tomcat certificate.

Edit: I made an update to the document that I have created to include a note about the need to upload the CM Tomcat certificate and it's CA certificates is signed to CCX if the version of CCX is 12.5 or never.

ciscovnetengineer · ‎09-10-2024

Thanks Roger,

Do you mind outline how to do this?

root and intermediate if applicable, needs to be uploaded into CCX when they are renewed

Rgds,

C

Roger Kallberg · ‎09-10-2024

Go to certificate management in OS administration on CCX and upload the CM tomcat certificate and if this is signed by a CA you also need to upload the root certificate and if used any intermediate certificate(s) of the CA to the tomcat-trust store in CCX.