Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3934
Views
6
Helpful
8
Replies

Cisco Unity Connection 11.5.1 CA cert renewal

Go to solution
samimondo
Level 1
Level 1

‎04-17-2020 04:08 PM

Can someone share instructions or documentation on how to do a CA SAN cert renewal for CUC.  If you've ever done it what services would need to be restarted.  Thanks for your help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee

‎04-17-2020 07:24 PM - edited ‎05-01-2020 12:25 PM


You do most of this on the Publisher only.

You login to OS Admin, you go to Security > Cert Mgmt then click Generate CSR. Pick Multi Server SAN then generate it, then close the pop up window. On the main window, a new Download CSR button appears. Click it. Save it.

Now at this point the process is very different depending on who your CA is. But the basic thing is, your CA takes your CSR and then gives you back an Identity Certificate. You will also need the CA cert too, and again, depending on who your CA is, you might even need one or more intermediate certificates too. Think of it like: "any friend of my friend is a friend of mine"

Regardless if you have 1 root CA certificate, or 1 root and 20 intermediates, you will always upload the root CA cert to the Tomcat-Trust first, then upload all remaining intermediate certs, to tomcat-trust, in the order they sign each other. E.g., IF A signs B and B signs C, then you upload them in A > B > C order.

Finally, you upload your Identity certificate (this is "the certificate" for CUC) to Tomcat.

You do this next part on both Pub and Sub servers:

The only service you need to restart is Cisco Tomcat, and you need to do it on the command line with: utils service restart Cisco Tomcat.

View solution in original post

Go to solution
samimondo
Level 1
Level 1
In response to lior look

‎04-30-2020 07:41 PM

The issue was resolved today (thank you Anthony).  It turns out I was missing the root CA, once I uploaded the root CA I was able to successfully upload the san cert.  I restarted the tomcat service and everything looks good.  Thanks again!

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎04-17-2020 07:17 PM

Generate a csr, download it, sign it, upload signed cert. Depending on the certificate, you'll get a notification of what services need to be restarted after it's successfully uploaded. 

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee

‎04-17-2020 07:24 PM - edited ‎05-01-2020 12:25 PM


You do most of this on the Publisher only.

You login to OS Admin, you go to Security > Cert Mgmt then click Generate CSR. Pick Multi Server SAN then generate it, then close the pop up window. On the main window, a new Download CSR button appears. Click it. Save it.

Now at this point the process is very different depending on who your CA is. But the basic thing is, your CA takes your CSR and then gives you back an Identity Certificate. You will also need the CA cert too, and again, depending on who your CA is, you might even need one or more intermediate certificates too. Think of it like: "any friend of my friend is a friend of mine"

Regardless if you have 1 root CA certificate, or 1 root and 20 intermediates, you will always upload the root CA cert to the Tomcat-Trust first, then upload all remaining intermediate certs, to tomcat-trust, in the order they sign each other. E.g., IF A signs B and B signs C, then you upload them in A > B > C order.

Finally, you upload your Identity certificate (this is "the certificate" for CUC) to Tomcat.

You do this next part on both Pub and Sub servers:

The only service you need to restart is Cisco Tomcat, and you need to do it on the command line with: utils service restart Cisco Tomcat.

Go to solution
samimondo
Level 1
Level 1
In response to Anthony Holloway

‎04-24-2020 03:30 PM

When I try to generate the CSR and select SAN and hit generate it error out with the following "CSR Export operation failed for the node (node name)". It suggest to do the following which I've confirmed are not the issue.

- Check if the Cisco Tomcat Service and the Platform Administrative Web Service are running
- Check if the nodes are not powered down.

- Ensure there are no connectivity issues among the nodes in the cluster and perform the operation again.

Please help

0 Helpful

Go to solution
samimondo
Level 1
Level 1
In response to samimondo

‎04-24-2020 09:02 PM

I have two nodes and I had to generate the SAN CSR on the sub.  Does anyone know if that would cause any issues?  I got the cert signed and my next step is upload it.  I plan on uploading it on the pub under the tomcat-trust, please let me know if the steps and actions I've taken are correct.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to samimondo

‎04-25-2020 12:03 AM - edited ‎04-25-2020 12:08 AM

You don’t upload the new certificate to the Tomcat-trust store, you should upload it to the Tomcat store. The system will then take care of putting it into the needed trust store, Tomcat-trust, and also distribute it to the other node(s) in the cluster.

Please have a look at this document for more details, even if it’s for CUCM the process is the same in CUC. https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

Normally you would generate the CSR on the publisher, I would recommend you to correct the issue you have that gives you the error and redo the process following the correct process.



Response Signature


0 Helpful

Go to solution
lior look
Level 5
Level 5
In response to samimondo

‎04-30-2020 02:03 PM

have you see this bug?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb38430/

 

it actually relates to different product but I believe you're facing the same issue.

what is your version in the Unity Connection?

is regular generate csr (no multiSAN)  also show the same error?

 

 

0 Helpful

Go to solution
samimondo
Level 1
Level 1
In response to lior look

‎04-30-2020 07:41 PM

The issue was resolved today (thank you Anthony).  It turns out I was missing the root CA, once I uploaded the root CA I was able to successfully upload the san cert.  I restarted the tomcat service and everything looks good.  Thanks again!

0 Helpful

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee
In response to samimondo

‎05-01-2020 12:24 PM

You're very welcome. It was nice talking to you on our Webex session. I'm glad you're all set!
0 Helpful
Customers Also Viewed These Support Documents