03-15-2012 07:21 AM - edited 03-16-2019 10:08 AM
Hello all,
If I generate a certificate for Tomcat will this be non-impacting during production hours? Thanks in advance.
Thanks,
Matt
03-15-2012 07:23 AM
Hi
It's best to specify a product when asking a question...
But assuming you are talking CUCM, yes you can generate/replace the tomcat cert without affecting call processing. It may affect use of services such as EM/Admin as you will need to restart tomcat.
Regards
Aaron
03-15-2012 07:32 AM
Thanks. We are using CUCM 8.5 and I think I need to regenerate a certificate for Tomcat since it only has the hostname and not the FQDN of the publisher. So baiscally it would affect Extension Mobility and the Admin page? I need to get commercially signed SSL certificate installed on both the subscriber and publisher. The subscriber seems to have the correct FQDN. We started using Click to Call and the certificate keeps asking to be imported on the windows clients every time we use the application.
03-15-2012 08:04 AM
Hi
Well - the process for getting a commercial cert is:
- Generate a CSR from OS Admin for tomcat
- Get the cert issued
- Upload the cert
The cert request will have the name of the server in it. You should verify using 'show network eth0' at the CLI that it's in the correct domain, or the CSR may not include the domain name of the server. YOu don't get to set a name when you actually generate the CSR.
I usually use 'set web-security' post-installation to set a common 'alias' or alternate hostname to a group of the CUCMs. e.g. set web-security etc etc etc etc cucm.yourorg.com
This gives you a name you can add to DNS as two or more round-robin A entries pointing cucm.yourorg.com to each of the CUCMs. You can then point your web browser, users, EM service URL, and whatever you like at that new name to provide some basic resilience.
When you upload the new cert, you restart tomcat - it takes a minute or so, and that's all your outage (if it works).
Aaron
03-15-2012 09:45 AM
I see the right hostname an domain according to the show network eth0 and show myself. Does it matter if the domain name is not in the downloaded certificate for the CA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide