cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10331
Views
25
Helpful
9
Replies

Regenerate certificates in Unity Connection

tony loktu
Level 1
Level 1

Hi

I've got an warning that the self generated certificates (tomcat.der, ipsec-trust etc) is about to expire.

I don't see in the adminguide what the consequences will be when i do this.

This is Unity Connection 9.1.2

Anyone know? 

/Tony

2 Accepted Solutions

Accepted Solutions

You will even not able to set up a new backup location or a new schedule backup task if the IPSec certificates are expired.

Shouldn't that use the new ipsec certificate?

And when will that happen?? Only once the certificates are regenerated again. Hence, go ahead and regenerate the certificates followed by restart of Cisco Tomcat and Cisco DRF Master & Local.

Regards

Deepak

View solution in original post

Certificates are not used per user/instance basis. Simply go ahead and delete it as they do not have direct dependency on anything to function properly.

Regards

Deepak

View solution in original post

9 Replies 9

Deepak Rawat
Cisco Employee
Cisco Employee

IPSEc Certificate is important for Disaster Recovery Framewrok (DRF) to work properly.  With these certificates being expired, you might not able to click on any option inside DRF page such as History, taking a Manual backup etc. Even the scheduled backups can fail due to this.

Tomcat certificate is responsible for any thing related to HTTPS communication such as opening the CUC Administration Page, navigating to other server from Cisco Unified Serviceability page etc. In nutshell, both of these certificates are most important for any UC application to work properly hence you should regenerate them. Simply regenrate the Tomcat and IpSec certificate on the required servers within CUC cluster and that will automatically regenerate the associate Tomcat-Trust and IPSec-Trust certificates

Regards

Deepak

Hi Deepak

I was reading http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/security/guide/9xcucsecx/9xcucsec065.html and cound't see that this would have much enduser impact. Is that correct?

Fixing the backup, if it fails should be easy. And Tomcat only has admin-impact (admin-pages).

/Tony

From an end user perspective it will only impact wherein they use some service running out of CUC that use a HTTP/HTTPS url one that I can think of right now is Visual VoiceMail. In CM, there is a huge impact since lot of end users are using Extension mobility and other phone based services running on HTTP/HTTPS. Even from an admin-impact perspective I do not see a point why someone will need to face exception all the times to open the web page and also you cannot forget that lot many times end users within CUC also need to open their user based page within CUC

Fixing the backup, if it fails should be easy.

Not very easy if it fails due to the IPSec certificate error.

Regards

Deepak

Hi Deepak

Then i should be OK to regenerate the tomcat certificate.

Why would it be hard to stop the shceduled backups and set up a new one? Shouldn't that use the new ipsec certificate?

/Tony

You will even not able to set up a new backup location or a new schedule backup task if the IPSec certificates are expired.

Shouldn't that use the new ipsec certificate?

And when will that happen?? Only once the certificates are regenerated again. Hence, go ahead and regenerate the certificates followed by restart of Cisco Tomcat and Cisco DRF Master & Local.

Regards

Deepak

Hi

Sorry for not making it clear: i thought it was obvious that the services needed to be restarted.

btw: everything works and the new updated certificates works.

/Tony

Ah no issues Tony :) Glad that it worked fine for you and the certs had been regenerated successfully.

Regards

Deepak

Hi Deepak

One last question:

I have three tomcat-trust certificates, one of them which is expired. How do i know if its in use somewhere?

Or can i just delete it?

Prime Collaboration is complaining about that one.

/Tony

Certificates are not used per user/instance basis. Simply go ahead and delete it as they do not have direct dependency on anything to function properly.

Regards

Deepak

Quick Links