Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14576
Views
20
Helpful
9
Replies

CUCM Expired tomcat-trust certs

Go to solution
Tyson Villeneuve
Level 1
Level 1

‎10-24-2016 12:57 PM - edited ‎03-17-2019 08:27 AM

Hi all. Running CUCM 8.6.1

I have a few expired tomcat-trust certificates. I'm trying to sort through the process of generating new ones, but I'm wondering something:

How do I find out which of these certs are actually being used? I assume not the expired ones...

I have a PUB and 5 SUBs, and the expired certs are named for the SUB they're associated with, but how do I know if that SUB is now using another trust cert? Also, I want to just delete all the expired ones and see what happens (I'll stop getting these annoying emails), but is there any reason to keep the expired certs around?

Thanks

3 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎10-24-2016 06:20 PM

If you know which ones have expired, then why are you not replacing those with with new ones, be it self signed, or signed by a CA?

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee

‎10-24-2016 09:26 PM

There is no reason to keep the expired certs on the server. There is a possibility that you might have regenerated the tomcat and associated tomcat-trust certificates already but because the expired tomcat-trust certificates have not been deleted you are getting these emails. Verify this by going into OS Administration >> Security >> Certificate Management >> Find. This will list all of your certificates, you only need to focus on the ones that shows as tomcat and tomcat-trust. Open the tomcat certificate and see the expiry date if its expired simply click on regenerate which will also regenerate the associated tomcat-trust certificates. If it is not showing as expired then leave it as it is and look for all the tomcat-certs individually and keep deleting the ones which are expired.

Note: Do the above process for all the servers that are reporting as expired certs. Please ensure that you are restarting Cisco Tomcat service using CLI once the certificates had been regenerated

Regards

Deepak

View solution in original post

9 Replies 9

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎10-24-2016 06:20 PM

If you know which ones have expired, then why are you not replacing those with with new ones, be it self signed, or signed by a CA?

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
Tyson Villeneuve
Level 1
Level 1
In response to Dennis Mink

‎10-25-2016 10:02 AM

They were replaced. Looks like the old ones are just in there, still.

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to Tyson Villeneuve

‎10-25-2016 02:46 PM

well if they are expired and replaced with new ones for the same hostname, by all means get rid of them.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Tyson Villeneuve
Level 1
Level 1
In response to Dennis Mink

‎10-25-2016 03:00 PM

My question had to do with how I know if they've been replaced by new ones for the same hostname. Do I only need one Tomcat-trust for each node?

0 Helpful

Go to solution
alfredobosca
Level 1
Level 1
In response to Tyson Villeneuve

‎10-31-2016 03:10 AM

I have regenerated the tomcat certificate but the tomcat-trust og uccx member1 wasn't regnerated.Meanwhilte the tomcat-trust on member2 was regenrated automatically.

could know if this tomcat-trust is used?

Best regards.

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee

‎10-24-2016 09:26 PM

There is no reason to keep the expired certs on the server. There is a possibility that you might have regenerated the tomcat and associated tomcat-trust certificates already but because the expired tomcat-trust certificates have not been deleted you are getting these emails. Verify this by going into OS Administration >> Security >> Certificate Management >> Find. This will list all of your certificates, you only need to focus on the ones that shows as tomcat and tomcat-trust. Open the tomcat certificate and see the expiry date if its expired simply click on regenerate which will also regenerate the associated tomcat-trust certificates. If it is not showing as expired then leave it as it is and look for all the tomcat-certs individually and keep deleting the ones which are expired.

Note: Do the above process for all the servers that are reporting as expired certs. Please ensure that you are restarting Cisco Tomcat service using CLI once the certificates had been regenerated

Regards

Deepak

Go to solution
Tyson Villeneuve
Level 1
Level 1
In response to Deepak Rawat

‎10-25-2016 10:03 AM

Great. I assume I can do the same thing with expired CallManager-Trust certs?

Thanks

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to Tyson Villeneuve

‎10-25-2016 10:08 AM

That is very well true for CallManager-certs as well however please be aware of below defect and remove the expired CallManager-Trust certs in  after hours:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut58407/?referring_site=bugquickviewredir

Reference Document:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

Regards

Deepak

0 Helpful

Go to solution
Tyson Villeneuve
Level 1
Level 1
In response to Deepak Rawat

‎10-31-2016 04:33 PM

Deepak,

Let me just try to clarify this a little before moving forward.

First of all, how can I tell which node a cert is associated with. I don't see anything in the cert that shows this. Several of my tomcat-trust certs are named NodeName.domain.loc.pem, but others have various other names. Looking at the certs on the GUI's of different nodes I see different certs, though. Does this mean the cert is associated with the Node I'm viewing it from?

Secondly, do I only need one tomcat and one tomcat-trust cert on each server?

Thanks

0 Helpful
Customers Also Viewed These Support Documents