Solved: Re: Before we get into the

gpsriramdc · ‎11-01-2015

Hi All,

How we can export CUCM Tomcat (Self signed) certificate with private key ?

Thanks in Advance...

Jaime Valencia · ‎11-01-2015

You cannot, the private key for the self-signed certificates and for the CSRs cannot be exported.

This also means that you cannot use certs generated by a 3rd party as you cannot upload external certs with private key, which for example VCS does allow you to do.

For CUCM and any other app with the same blueprint, you need to sign the CSR generated by the system.

HTH

java

if this helps, please rate

View solution in original post

Venkatesh Perumal · ‎11-01-2015

http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/45/cam/45cam-book/m_admin.html#wp1192507

gpsriramdc · ‎11-01-2015

Hi Venperum,

Thanks for your reply. Provided links show the process in NAC applicance.

Could please guide me how we can acheive this in Cisco UC applications ?

Thanks Again...

Deepak Rawat · ‎11-01-2015

Before we get into the process of exporting CUCM Tomcat (Self Signed) certificate with private key, lets talk why we need it in the first place. All the UC applications such as CUCM, Unity Connection, UCCX etc require a secure mode (HTTPS) connection to open their respective webpages. HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

As the names suggest, the 'private' key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key. Now when you say that you need CUCM Tomcat (Self Signed) certificate with private key, you actually require a Certificate Signing Request (CSR) which is encrypted text that contains information included in your certificate about your respective server . It also contains the public key. CA uses this CSR to generate SSL certificate. When you click on Generate CSR, server creates a Public-Private key pair. The certificate created with a particular CSR will only work with the private key that was generated with it. In nutshell, there is not a way just to get the CUCM Tomcat (Self Signed) certificate with private key but in fact you will get the combination of Public-Private key that you in turn will need to provide to your CA and get the certificate chain so that you can upload it back to your CM server for secure communication.

For more information on generating CSR, getting it signed by CA and then uploading back to CM, refer to the below post:

https://supportforums.cisco.com/discussion/12693786/upload-multiserver-san-certificate

Note: If you do not agree with what I wrote above and only need CUCM Tomcat (Self Signed) certificate with private key, then let me know what exactly you are planning to do and what is the need of just CUCM Tomcat (Self Signed) certificate with private key and not the complete Public- Private key combination

Regards

Deepak

- Do Rate Helpful Posts -

gpsriramdc · ‎11-01-2015

Hi Deepak,

Thanks for wonderful explantion on this.

Let me explain the situvation here...

We are going to rollout the Jabber.Client using the 3rd party CA server, CUCM not accpeting the certificate signed by 3rd party CA since it contains some critical elements. We can't modify the template in CA server due to security policy of the client.

So thought of import the UC applications self signed certifcate to each user desktop using Group policy.

Got the update from Group policy team ," To import the certificate using GPO it should contain private key also".

Hope you understand the situvation here... All this effort to avoid the certificate error when user login to the jabber 1st time.

Thanks...

jtrohm · ‎03-29-2021

I've come across this discussion and have had the argument repeatedly. The problem here is that a hindrance has been put in place to protect the uninformed from themselves but in doing so, prevents legitimate use of the key. In my case, we often generate the CSR externally for other systems. In addition to simply being our standard process, we often use the private keys for debugging in a development environment. For example, it is often helpful to be able to see the clear text dataflows of an AXL query in (near) real-time in Wireshark. This is only possible if you have the private key of both ends of the tool.

Jaime Valencia · ‎11-01-2015

You cannot, the private key for the self-signed certificates and for the CSRs cannot be exported.

This also means that you cannot use certs generated by a 3rd party as you cannot upload external certs with private key, which for example VCS does allow you to do.

For CUCM and any other app with the same blueprint, you need to sign the CSR generated by the system.

HTH

java

if this helps, please rate

Dennis Mink · ‎11-01-2015

+5 Jaime,

LOL, Imagine if that was possible, it would pretty much make the whole SSL mechanism defunct.

Please remember to rate useful posts, by clicking on the stars below.

j.a.m.e.s · ‎06-30-2020

Just to add that for Java Keytool, F5 and every other common key management system it is indeed possible to export the private key. It's also possible to password protect this private key to reduce the risk.

I can see why you might be concerned about exporting it, but if find yourself in a bad situation where Call Manager has wiped the public/private keypair, then you either need to restore a backup or persuade your CA team to sign a replacement CSR rapidly.

Ayodeji Okanlawon · ‎06-30-2020

@j.a.m.e.s

@j.a.m.e.s wrote:

Just to add that for Java Keytool, F5 and every other common key management system it is indeed possible to export the private key. It's also possible to password protect this private key to reduce the risk.

I can see why you might be concerned about exporting it, but if find yourself in a bad situation where Call Manager has wiped the public/private keypair, then you either need to restore a backup or persuade your CA team to sign a replacement CSR rapidly.

I am not sure how you could imagine such a thing that the public/private key pair are wiped! If you exposed your private key, then your server has lost all of it's security and identity...
There was a court case a while back in which entrust had to hand over the private key of one of its CAs by a court injunction. Immediately that happened, the cert was put into it's CRL. It's useless from that point...

It's private for a reason, should remain private..

Please rate all useful posts

j.a.m.e.s · ‎07-10-2020

Hi Ayodeji
Call Manager wipes all the local keys and certs when you change the domain name (just one example).
I understand the point about privacy, but in any case the Private Key is being saved out as part of the DRS backup. I can't see why it would be such a problem to allow it to be exported with password protection then imported.
This inability to manage the private keys means that you might have to call your CA provider during a maintenance window and that's sometimes easier said than one.
Regards
James.

CUCM Export Tomcat Certificate with Private Key