Solved: Transferring certificates between Call Manager VM's.

R_Acuti · ‎11-15-2017

Hi all,

I have two VM's in a lab running UCS 11.5 that can no longer communicate with each other, but I have verified that there is a path between them.

A search indicates that I have lost some certificates between the two servers, IPSEC, specifically.

When I attempt to upload the missing Tomcat cert (PEM), the upload is denied with a red "X" stating "Self-signed certificate."

What am I doing wrong here?

Many thanks for any help.

kevin.vines · ‎11-15-2017

To be more specific, you should be trying to download the certs from UCM1 and upload them to the certificate trust store of UCM2, and vice versa.

So for example with the ipsec cert, you would download the ipsec cert .pem file from UCM1 and then log into the platformadmin of UCM2 and after clicking "Upload Certificate/Certificate Chain" you would select "ipsec-trust " from the dropdown menu and NOT "ipsec".

View solution in original post

kevin.vines · ‎11-15-2017

You may need to download the IPSEC, TOMCAT, Callmanager, etc certs from UCM 1 and upload them to UCM 2 as IPSEC-trust, Tomcat-Trust, Callmanager-Trust, etc and then do the same from UCM 2 to UCM 1. Essentially, the cert from one server goes into the trust store for the other server. If you try to load a cert from one server as the cert for another server, as you've discovered, that will fail.

R_Acuti · ‎11-15-2017

Right, I'm trying to do exactly as you suggest...at least, I think I am!

I'm downloading these certs from UCM1 and attempting to upload them into UCM2 and am getting this error.

kevin.vines · ‎11-15-2017

To be more specific, you should be trying to download the certs from UCM1 and upload them to the certificate trust store of UCM2, and vice versa.

So for example with the ipsec cert, you would download the ipsec cert .pem file from UCM1 and then log into the platformadmin of UCM2 and after clicking "Upload Certificate/Certificate Chain" you would select "ipsec-trust " from the dropdown menu and NOT "ipsec".

R_Acuti · ‎11-15-2017

Kevin,

Thanks. I'll look at it again more carefully and give it a try.

Rich

R_Acuti · ‎11-15-2017

After carefully re-reading your post, everything clicked and I was able to upload the certs to the trust stores. Thank you.

Unfortunately, this has not cleared the "Connection to the Server cannot be established(Certificate Exception) error.

Could some of these certs be corrupt? Do I need to regenerate any of them?

kevin.vines · ‎11-15-2017

You may need to repeat for tomcat/tomcat-trust and callmanager/callmanager-trust certs as well in both directions. (ie from UCM1 to UCM2 and from UCM2 to UCM1).

R_Acuti · ‎11-16-2017

Does this apply even if I can see these certs in each other's trust stores?

I was missing an ipsec on one server and a CallManager cert on the other server, but all other certs seem intact on both servers. I also restarted Tomcat as the one server directed me to, once I uploaded the missing Tomcat cert.

R_Acuti · ‎11-16-2017

Sorry Kevin,

I have fixed the problem between servers. The missing certs were definitely a problem, but there was setting in the OS Admin GUI that was also out of whack. All is working, and thanks very much for your help.

Rich A.