Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
2
Replies

How to recover Certs from subscriber back to publisher

fred.skrotzki
Level 1
Level 1

‎01-04-2023 05:11 AM

We had a very unfortunate timing.  The server hosting the VM for the publisher had a short in a drive when it failed corrupting the image on the same day that we replaced the 3rd party self signed certs but before we backed up the system.  Yes then I went on Vacation for 2 weeks and just noticed it when I walked back in yesterday.  So I swapped the drive, repaired the raid, rebuilt the Publisher, and did a restore.

So at this moment I have the server restored from last known backup the night before the drive failure, BUT the subscribers have the good SSL's (Cert, Cert chain and Private key), but the Publisher has the old cert which expired while I was out so I need to "pull back" the certs off one of the subscribers and back onto the Publisher and looking for Guidance on exactly what I need to do and the format.

If this was pure Linux and I had root access I'd just login locate the new SSL files, and key files as they will have a date of when we installed the Cert and just copied them over to the publisher replacing them and reboot but we don't.

I tried to save out the tomcat cert but it doesn't like something when I say to read them in "File '/usr/local/platform/.security/tomcat/keys/tomcat.csr' does not exist" and it's listing it as an invalid cert when trying to do this via the Certificate management.

I'm sure there is a CLI command(s) do do all this but my google skills seem to still be on vacation.

Labels:
0 Helpful
2 Replies 2

b.winter
VIP
VIP

‎01-04-2023 05:41 AM

What you are asking is not possible, because even if you have the certificate(s) of the pub, you don't have the corresponding private keys. Furthermore, there is no option to insert private keys in CUCM.
Your only solution is to start the process of certificate signing again.

0 Helpful

Roger Kallberg
VIP
VIP

‎01-04-2023 07:26 AM

You need help from TAC with this. They can access the file system on your subscriber with their root access and get the files needed. Not sure if they would do it as this is as @b.winter wrote not something usual, but it would be worth a try. If TAC won’t do it you could go a bit rouge and boot the subscriber on a CM recovery ISO and gain access to the actual Linux system by opening a console from it. Absolutely nothing that is supported or so, but possible.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents