cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6293
Views
5
Helpful
12
Replies

Regenerating CUP Certs

mramirez-t
Level 1
Level 1

We have 2 presence servers, HQ-PRESENCE1 and HQ-PRESENCE2, in different locations.  There are expired certs on each that expired in Dec 2017.  I havent been able to find any reliable docs on what certs need to be regenerated in what order and then what services need to be started in what order afterwards.  These are the certs the self-signed certs that we have on each that are expired.  Anyone have any info on which order these need to be regenerated and what services in what order?

 

On HQ-PRESENCE1            
Certificate Common Name Type Distribution Issued By ExpirationSort Descending Description
cup HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
cup-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
cup-xmpp-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp-s2s HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
ipsec-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trust Certificate
             
On HQ-PRESENCE2            
Certificate Common Name Type Distribution Issued By ExpirationSort Descending Description
cup-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
1 Accepted Solution

Accepted Solutions

The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.

Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.

HTH

java

if this helps, please rate

View solution in original post

12 Replies 12

Dennis Mink
VIP Alumni
VIP Alumni

I am not aware of any specific order of uploading new certs, I tend do do pub first then sub.

 

then restart Tomcat on pub, then on sub.

 

Tomcat is really the only service you need to restart.

 

if you upload a new CA cert, then you will need to restart the intercluster sync agent as well.

 

check:https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/9_0/CUP0_BK_CFF5B189_00_config-admin-guide-imp-90/CUP0_BK_CFF5B189_00_config-admin-guide-imp-90_chapter_01010.html

Please remember to rate useful posts, by clicking on the stars below.

I've had to restart certain services in the past when doing other cert renewals - ipsec, capf, etc - so I want to make 100% sure that the services I need to restart are done in order.  Example, when regenerating the ipsec-trust certs, no restart of Tomcat was necessary, but services like TFTP, TVS, and Call Manager had to be restarted in a certain order.

The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.

Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.

HTH

java

if this helps, please rate

Thanks.  FYI, the link www.cisco.com/go/pdi brings me to a 403 Forbidden Page warning.

Thanks, link is fine, it requires partner level CCO to be accessed.

HTH

java

if this helps, please rate

Fair enough, thanks.

Hello Jaime, 

I just regenerated the tomcat,ipsec,cup, cup-xmpp, cup-xmpp-s2s.

There is a ipsec-trust certificate that remains unchanged. How can I force the regeneration of this ipsec-trust?

Certificate Name ipsec-trust
Certificate Type trust-certs
Certificate Group product-cp

Thanks

You cannot regenerate trust store certificates. When you regenerated ipsec, that should have uploaded to the trust-store automatically.

Thanks Nipun,

my jabber clients continues showing invalid cert.

Have you added the server certs to the Enterprise Trust on the machines where Jabber is ? If not, you would need to "Accept" them for the first time. When you accept them, they will be automatically added to the enterprise trust.

Hello Nipun,

I'm not sure where do that. The CUP is 8.6 . I just regenerated the certs that allow me to do that.

do you refers to the windows, iphone ios and android devices.

Regards,

 

Solved restarting the cup server.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: