11-01-2015 12:20 AM - edited 03-17-2019 04:46 AM
Hi All,
How we can export CUCM Tomcat (Self signed) certificate with private key ?
Thanks in Advance...
Solved! Go to Solution.
11-01-2015 06:40 AM
You cannot, the private key for the self-signed certificates and for the CSRs cannot be exported.
This also means that you cannot use certs generated by a 3rd party as you cannot upload external certs with private key, which for example VCS does allow you to do.
For CUCM and any other app with the same blueprint, you need to sign the CSR generated by the system.
11-01-2015 12:36 AM
11-01-2015 12:46 AM
Hi Venperum,
Thanks for your reply. Provided links show the process in NAC applicance.
Could please guide me how we can acheive this in Cisco UC applications ?
Thanks Again...
11-01-2015 03:37 AM
Before we get into the process of exporting CUCM Tomcat (Self Signed) certificate with private key, lets talk why we need it in the first place. All the UC applications such as CUCM, Unity Connection, UCCX etc require a secure mode (HTTPS) connection to open their respective webpages. HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.
As the names suggest, the 'private' key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key. Now when you say that you need CUCM Tomcat (Self Signed) certificate with private key, you actually require a Certificate Signing Request (CSR) which is encrypted text that contains information included in your certificate about your respective server . It also contains the public key. CA uses this CSR to generate SSL certificate. When you click on Generate CSR, server creates a Public-Private key pair. The certificate created with a particular CSR will only work with the private key that was generated with it. In nutshell, there is not a way just to get the CUCM Tomcat (Self Signed) certificate with private key but in fact you will get the combination of Public-Private key that you in turn will need to provide to your CA and get the certificate chain so that you can upload it back to your CM server for secure communication.
For more information on generating CSR, getting it signed by CA and then uploading back to CM, refer to the below post:
https://supportforums.cisco.com/discussion/12693786/upload-multiserver-san-certificate
Note: If you do not agree with what I wrote above and only need CUCM Tomcat (Self Signed) certificate with private key, then let me know what exactly you are planning to do and what is the need of just CUCM Tomcat (Self Signed) certificate with private key and not the complete Public- Private key combination
Regards
Deepak
- Do Rate Helpful Posts -
11-01-2015 04:06 AM
Hi Deepak,
Thanks for wonderful explantion on this.
Let me explain the situvation here...
We are going to rollout the Jabber.Client using the 3rd party CA server, CUCM not accpeting the certificate signed by 3rd party CA since it contains some critical elements. We can't modify the template in CA server due to security policy of the client.
So thought of import the UC applications self signed certifcate to each user desktop using Group policy.
Got the update from Group policy team ," To import the certificate using GPO it should contain private key also".
Hope you understand the situvation here... All this effort to avoid the certificate error when user login to the jabber 1st time.
Thanks...
03-29-2021 07:23 AM
I've come across this discussion and have had the argument repeatedly. The problem here is that a hindrance has been put in place to protect the uninformed from themselves but in doing so, prevents legitimate use of the key. In my case, we often generate the CSR externally for other systems. In addition to simply being our standard process, we often use the private keys for debugging in a development environment. For example, it is often helpful to be able to see the clear text dataflows of an AXL query in (near) real-time in Wireshark. This is only possible if you have the private key of both ends of the tool.
11-01-2015 06:40 AM
You cannot, the private key for the self-signed certificates and for the CSRs cannot be exported.
This also means that you cannot use certs generated by a 3rd party as you cannot upload external certs with private key, which for example VCS does allow you to do.
For CUCM and any other app with the same blueprint, you need to sign the CSR generated by the system.
11-01-2015 09:45 PM
+5 Jaime,
LOL, Imagine if that was possible, it would pretty much make the whole SSL mechanism defunct.
06-30-2020 08:13 AM
Just to add that for Java Keytool, F5 and every other common key management system it is indeed possible to export the private key. It's also possible to password protect this private key to reduce the risk.
I can see why you might be concerned about exporting it, but if find yourself in a bad situation where Call Manager has wiped the public/private keypair, then you either need to restore a backup or persuade your CA team to sign a replacement CSR rapidly.
06-30-2020 10:37 PM
@j.a.m.e.s wrote:
Just to add that for Java Keytool, F5 and every other common key management system it is indeed possible to export the private key. It's also possible to password protect this private key to reduce the risk.
I can see why you might be concerned about exporting it, but if find yourself in a bad situation where Call Manager has wiped the public/private keypair, then you either need to restore a backup or persuade your CA team to sign a replacement CSR rapidly.
I am not sure how you could imagine such a thing that the public/private key pair are wiped! If you exposed your private key, then your server has lost all of it's security and identity...
There was a court case a while back in which entrust had to hand over the private key of one of its CAs by a court injunction. Immediately that happened, the cert was put into it's CRL. It's useless from that point...
It's private for a reason, should remain private..
07-10-2020 09:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide