03-08-2018 06:57 AM - edited 03-17-2019 12:22 PM
We have 2 presence servers, HQ-PRESENCE1 and HQ-PRESENCE2, in different locations. There are expired certs on each that expired in Dec 2017. I havent been able to find any reliable docs on what certs need to be regenerated in what order and then what services need to be started in what order afterwards. These are the certs the self-signed certs that we have on each that are expired. Anyone have any info on which order these need to be regenerated and what services in what order?
On HQ-PRESENCE1 | ||||||
Certificate | Common Name | Type | Distribution | Issued By | ExpirationSort Descending | Description |
cup | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Self-signed certificate generated by system |
cup-trust | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Trusted local cluster own-certificate |
cup-xmpp | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Self-signed certificate generated by system |
cup-xmpp-trust | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Trusted local cluster own-certificate |
cup-xmpp-s2s | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Self-signed certificate generated by system |
ipsec-trust | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Trust Certificate |
On HQ-PRESENCE2 | ||||||
Certificate | Common Name | Type | Distribution | Issued By | ExpirationSort Descending | Description |
cup-trust | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Trusted local cluster own-certificate |
cup-xmpp-trust | HQ-PRESENCE1.XXX.LOCAL | Self-signed | HQ-PRESENCE1.XXX.LOCAL | HQ-PRESENCE1.XXX.LOCAL | 12/9/2017 | Trusted local cluster own-certificate |
Solved! Go to Solution.
03-09-2018 07:46 AM
The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.
Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.
03-08-2018 03:42 PM
I am not aware of any specific order of uploading new certs, I tend do do pub first then sub.
then restart Tomcat on pub, then on sub.
Tomcat is really the only service you need to restart.
if you upload a new CA cert, then you will need to restart the intercluster sync agent as well.
03-09-2018 04:58 AM
I've had to restart certain services in the past when doing other cert renewals - ipsec, capf, etc - so I want to make 100% sure that the services I need to restart are done in order. Example, when regenerating the ipsec-trust certs, no restart of Tomcat was necessary, but services like TFTP, TVS, and Call Manager had to be restarted in a certain order.
03-09-2018 07:46 AM
The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.
Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.
03-09-2018 07:48 AM
Thanks. FYI, the link www.cisco.com/go/pdi brings me to a 403 Forbidden Page warning.
03-09-2018 07:50 AM
Thanks, link is fine, it requires partner level CCO to be accessed.
03-09-2018 07:51 AM
Fair enough, thanks.
07-12-2018 09:35 AM
Hello Jaime,
I just regenerated the tomcat,ipsec,cup, cup-xmpp, cup-xmpp-s2s.
There is a ipsec-trust certificate that remains unchanged. How can I force the regeneration of this ipsec-trust?
Certificate Name | ipsec-trust |
Certificate Type | trust-certs |
Certificate Group | product-cp |
Thanks
07-12-2018 10:51 AM
07-12-2018 01:05 PM
Thanks Nipun,
my jabber clients continues showing invalid cert.
07-12-2018 01:15 PM
07-12-2018 01:20 PM
Hello Nipun,
I'm not sure where do that. The CUP is 8.6 . I just regenerated the certs that allow me to do that.
do you refers to the windows, iphone ios and android devices.
Regards,
07-12-2018 06:55 PM
Solved restarting the cup server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: