Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
5
Helpful
6
Replies

tomcat cucm

Go to solution
Will Phinney
Level 1
Level 1

‎02-23-2015 06:35 AM - edited ‎03-17-2019 02:05 AM

Everyone,

I recently had my main tomcat cert expire on my call managers and am struggling to figure all of this out. I opened a TAC case, but can't seem to grasp the whole cert idea. I have a 3 node cluster and each server has a tomcat.pem file with 3 trust certs for each box. I have the main cert signed by my domain controller and after talking with TAC they informed me to delete the old trust certs and regenerate the main tomcat.pem cert on each box, however, by regenerating it I don't believe it will "push out" the expiration date. I need to do this, but can't seem to get my head around these certs and don't want to keep bother TAC. Furthermore, don't I need to get a new cert from my dc and then upload the new cert to each cucm nodes? Thanks in advance for all the help. Also, are all certs this hard?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Will Phinney

‎02-23-2015 09:54 AM

Hi

If I recall correctly the trust certs get replicated round. The tomcat cert itself won't, so do it per server.

You may even already have the trust certs in if you are using a cert from the same DC already..

Yes, you can just restart Tomcat from the server CLI.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

6 Replies 6

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎02-23-2015 07:23 AM

Hi Will

Are all certs this hard? No.. but then some are harder.

This could be implemented better, and documented better... but basically:

As I recall, there is no concept of 'renewing' a cert (there is generally, but not in CUCM). You basically generate a new one.

Go into OS Admin, Cert Mgmt, and you would issue a new CSR by hitting Generate CSR. 

In the Generate CSR box, generate a 'tomcat' CSR. This box has lots of new boxes, it's better than it used to be...  Common Name/SAN had to be set in the CLI previously.

Use the CSR on your CA to generate the cert (your DC that runs MS CA, or whatever your clients trust)

Then obtain and upload the Root CA public cert, and any intermediate certs if you have them (i.e. if you have separate root and issuing CAs) to Cert Mgmt as 'tomcat-trust' certs.

Finally, upload the generated cert to CUCM as a 'tomcat' cert.

 

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
Will Phinney
Level 1
Level 1
In response to Aaron Harrison

‎02-23-2015 08:08 AM

Aaron,

Thanks for the reply. So I guess that's where my confusion was at when I read 'generate' I thought it was just going to generate a new cert then extend the date, however, I understand now that I need to generate that and send it to my DC, then upload the new cert and start tomcat. I need to do this for all three of my servers, but will those trust certs be pushed to each servers? With Tomcat can I get away with not rebooting all my phones and just restart the tomcat service? Thanks, Aaron.

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Will Phinney

‎02-23-2015 09:54 AM

Hi

If I recall correctly the trust certs get replicated round. The tomcat cert itself won't, so do it per server.

You may even already have the trust certs in if you are using a cert from the same DC already..

Yes, you can just restart Tomcat from the server CLI.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Go to solution
Will Phinney
Level 1
Level 1
In response to Aaron Harrison

‎03-13-2015 06:22 PM

Aaron,

Finally got around to uploading certs to each cucm box and I "think" it worked, as I no longer see expired certs and each tomcat trust cert renewed the new date, but I still error on the browser saying site is potentially dangerous. I thought that would be cleared up with the new cert from my DC? Thanks again!

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Will Phinney

‎03-16-2015 02:27 AM

Hi

Two things need to happen to avoid errors (well - more, like the cert has to be valid and in date etc... but for you):

- You must browse to the server using the hostname or SAN listed in the cert. Not IP.

- Your PC must trust the cert authority. You would normally distribute your CA certs (if they are MS ones) through AD, but this might not have happened for some reason. To trust it, load the root cert (not the CUCM server cert) into the Trust Roor Cert Authorities folder on your PC cert store. If it then works, get your AD peeps to see why it didn't happen automatically.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
Will Phinney
Level 1
Level 1
In response to Aaron Harrison

‎03-13-2015 06:37 PM

Actually, I was going to the server by IP. Once I went to the actual hostname that the cert was ok with, no error. Thanks again for the assist.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents