Thanks.  We are using CUCM 8.5 and I think I need to regenerate a certificate for Tomcat since it only has the hostname and not the FQDN of the publisher.  So baiscally it would affect Extension Mobility and the Admin page?  I need to get commercially signed SSL certificate installed on both the subscriber and publisher.  The subscriber seems to have the correct FQDN.  We started using Click to Call and the certificate keeps asking to be imported on the windows clients every time we use the application.

Hi

Well - the process for getting a commercial cert is:

- Generate a CSR from OS Admin for tomcat

- Get the cert issued

- Upload the cert

The cert request will have the name of the server in it. You should verify using 'show network eth0' at the CLI that it's in the correct domain, or the CSR may not include the domain name of the server. YOu don't get to set a name when you actually generate the CSR.

I usually use 'set web-security' post-installation to set a common 'alias' or alternate hostname to a group of the CUCMs. e.g. set web-security etc etc etc etc cucm.yourorg.com

This gives you a name you can add to DNS as two or more round-robin A entries pointing cucm.yourorg.com to each of the CUCMs. You can then point your web browser, users, EM service URL, and whatever you like at that new name to provide some basic resilience.

When you upload the new cert, you restart tomcat - it takes a minute or so, and that's all your outage  (if it works).

Aaron

I see the right hostname an domain according to the show network eth0 and show myself.  Does it matter if the domain name is not in the downloaded certificate for the CA?