Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
5
Replies

Expired Tomcat certs replaced, servers still using self signed cert

alwayslearning
Level 1
Level 1

‎11-15-2021 08:32 AM

I replaced the expiring Tomcat certs on all the servers in my environment with new valid CA signed Tomcat certs.

 

The servers still all seem to be stuck on a self signed cert, even with the new CA cert installed. The webpage for all of them shows the self signed cert, and Jabber gives cert errors asking to accept the certificates for all the servers.

 

TAC is telling me the only way to resolve the issue with the browser looking at the self signed cert and the jabber errors, is to manually install the CA certs on the PCs in my company. This doesn't make sense to me, shouldn't I be able to force the server to use the CA cert instead of the self signed cert without manually installing certificates across hundreds of PCs?

 

Labels:
0 Helpful
5 Replies 5

Nithin Eluvathingal
VIP
VIP

‎11-15-2021 09:05 AM - edited ‎11-15-2021 09:06 AM

For Your device(smartphone, laptops etc..) to trust a certificate, its root certificate or the signed certificate must be  available on its  trust store. In all other cases, your devices will throw you    a warning message and will ask you to trust the certificate. 

 

If you dont want to see such messages , As TAC said you need the Root CA uploaded to the device trust store. This can  be done in many ways and there is no need to upload it on each machines.

On Domain machines it can be done through GPO. and Mobile devices Using MDM.

 

Instead of Internal CA signed certificate, if you sign your certificates from Versign or DigiCert  Ca.  you won't see such warning,Even if you dont upload the Versign and Digicert Root CA.. Because, few Public CA's root certificate comes preinstalled with the device OS. Since there is a cost involved with the Public CA, we always use internal CA signed certificates. 

 

 

 

 



Response Signature


0 Helpful

alwayslearning
Level 1
Level 1
In response to Nithin Eluvathingal

‎11-15-2021 09:06 AM

The cert is from Digicert

0 Helpful

b.winter
VIP
VIP
In response to alwayslearning

‎11-15-2021 09:16 AM

Dumb question:

Have you restarted the Cisco Tomcat service via CLI?

The server will not update the cert for the Tomcat service, as long as you don't restart the corresponding service (not only applicable to the Tomcat service, but all other services too).

Only uploading the cert isn't enough.

0 Helpful

alwayslearning
Level 1
Level 1
In response to b.winter

‎11-15-2021 09:29 AM

Yes, I did restart the Tomcat service. I tried restarting the entire server as well.

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to alwayslearning

‎11-15-2021 10:24 AM

First Find out for which certificate your device showing  warning message. check if its your signed certificate. Warning message might  be for Unity certificate. 

If your device doesn't have Root CA of Digicert, the device will throw you a warning message. To avoid that, as TAC mentioned the root cert must be availed on Device trust store. 

 

 



Response Signature


0 Helpful
Customers Also Viewed These Support Documents