ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3647
Views
5
Helpful
12
Replies
Highlighted
Beginner

Regenerating CUP Certs

We have 2 presence servers, HQ-PRESENCE1 and HQ-PRESENCE2, in different locations.  There are expired certs on each that expired in Dec 2017.  I havent been able to find any reliable docs on what certs need to be regenerated in what order and then what services need to be started in what order afterwards.  These are the certs the self-signed certs that we have on each that are expired.  Anyone have any info on which order these need to be regenerated and what services in what order?

 

On HQ-PRESENCE1            
Certificate Common Name Type Distribution Issued By ExpirationSort Descending Description
cup HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
cup-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
cup-xmpp-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp-s2s HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Self-signed certificate generated by system
ipsec-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trust Certificate
             
On HQ-PRESENCE2            
Certificate Common Name Type Distribution Issued By ExpirationSort Descending Description
cup-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
cup-xmpp-trust HQ-PRESENCE1.XXX.LOCAL Self-signed HQ-PRESENCE1.XXX.LOCAL HQ-PRESENCE1.XXX.LOCAL 12/9/2017 Trusted local cluster own-certificate
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Re: Regenerating CUP Certs

The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.

Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.

HTH

java

if this helps, please rate

View solution in original post

12 REPLIES 12
Highlighted
VIP Advisor

Re: Regenerating CUP Certs

I am not aware of any specific order of uploading new certs, I tend do do pub first then sub.

 

then restart Tomcat on pub, then on sub.

 

Tomcat is really the only service you need to restart.

 

if you upload a new CA cert, then you will need to restart the intercluster sync agent as well.

 

check:https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/9_0/CUP0_BK_CFF5B189_00_config-admin-guide-imp-90/CUP0_BK_CFF5B189_00_config-admin-guide-imp-90_chapter_01010.html

Please remember to rate useful posts, by clicking on the stars below.

Highlighted
Beginner

Re: Regenerating CUP Certs

I've had to restart certain services in the past when doing other cert renewals - ipsec, capf, etc - so I want to make 100% sure that the services I need to restart are done in order.  Example, when regenerating the ipsec-trust certs, no restart of Tomcat was necessary, but services like TFTP, TVS, and Call Manager had to be restarted in a certain order.

Highlighted
Hall of Fame Cisco Employee

Re: Regenerating CUP Certs

The system will tell you what you need to restart as you re-generate them, most likely XCP router and some other XCP services after you do the cup-xmpp and s2s certificates, as there is no ITL or specific validation for Jabber to login and use IM&P, there is no particular order that needs to be followed.

Once you re-generate them, all Jabber clients will get the certificate warning due to this, so plan ahead of time to distribute the new certificate, or tell users to accept it as they login.

HTH

java

if this helps, please rate

View solution in original post

Highlighted
Beginner

Re: Regenerating CUP Certs

Thanks.  FYI, the link www.cisco.com/go/pdi brings me to a 403 Forbidden Page warning.

Highlighted
Hall of Fame Cisco Employee

Re: Regenerating CUP Certs

Thanks, link is fine, it requires partner level CCO to be accessed.

HTH

java

if this helps, please rate
Highlighted
Beginner

Re: Regenerating CUP Certs

Fair enough, thanks.

Highlighted
Enthusiast

Re: Regenerating CUP Certs

Hello Jaime, 

I just regenerated the tomcat,ipsec,cup, cup-xmpp, cup-xmpp-s2s.

There is a ipsec-trust certificate that remains unchanged. How can I force the regeneration of this ipsec-trust?

Certificate Name ipsec-trust
Certificate Type trust-certs
Certificate Group product-cp

Thanks

Highlighted
Cisco Employee

Re: Regenerating CUP Certs

You cannot regenerate trust store certificates. When you regenerated ipsec, that should have uploaded to the trust-store automatically.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted
Enthusiast

Re: Regenerating CUP Certs

Thanks Nipun,

my jabber clients continues showing invalid cert.

Highlighted
Cisco Employee

Re: Regenerating CUP Certs

Have you added the server certs to the Enterprise Trust on the machines where Jabber is ? If not, you would need to "Accept" them for the first time. When you accept them, they will be automatically added to the enterprise trust.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Highlighted
Enthusiast

Re: Regenerating CUP Certs

Hello Nipun,

I'm not sure where do that. The CUP is 8.6 . I just regenerated the certs that allow me to do that.

do you refers to the windows, iphone ios and android devices.

Regards,

 

Highlighted
Enthusiast

Re: Regenerating CUP Certs

Solved restarting the cup server.