Re: CA-signed CUP certificate upload failure

RAustin70 · ‎04-11-2023

I am running a 2-node v12.5.1.15900-5 IM&P set up.

CUP Certificates are CA-Signed and set to expire on 5/19/23 (generating new ones early as I had several CA-Signed IPSEC certs expiring on 4/21 so I wanted to group them all together)

I generated CSRs for both Pub and Sub servers

Pulled down CA-Signed certificates and the Root/Sub CA Certificates

Installed root and Sub CA certs as cup-trust certs

Uploaded Pub Cert successfully

Sub Cert failed to upload with “Failed to perform the operation”. WHAT??

Things I have tried with no success:

-Regenerated new CSR and new Certificate

-Rebooted Sub

-Restarted SIP proxy service and Presence Engine on both servers

Before I open a TAC Case on this, I figured I would reach out and see if there was anything else I can check.

Where would I look in RTMT Logs to see what this generic error means?

RAustin70 · ‎04-11-2023

I found in the Audit Logs:

14:26:08.147 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload Certificate with Certificate Purpose=cup Description=Self-signed certificate FileName=CUP.cer failed App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
14:26:08.187 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload certificate cup failed. App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
15:57:06.070 |LogMessage --snip-- EventStatus : Success --snip-- AuditDetails : Generate Certificate Signing Request with Common Name=SubCUP.server Certificate Purpose=cup Distribution=This-server Parent Domain=area52.afnoapps.usaf.mil,SubCUP.server Key Length=2048 Hash Algorithm=SHA256 successful App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
15:57:27.855 |LogMessage --snip-- EventStatus : Success --snip-- AuditDetails : Download certificate cup. App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
16:06:36.607 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload Certificate with Certificate Purpose=cup Description=Self-signed certificate FileName=CUP.cer failed App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
16:06:36.608 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload certificate cup failed. App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
09:43:22.656 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload Certificate with Certificate Purpose=cup Description=Self-signed certificate FileName=CUP.cer failed App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
09:43:22.695 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload certificate cup failed. App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
09:53:24.529 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload Certificate with Certificate Purpose=cup Description=Self-signed certificate FileName=CUP.cer failed App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server
09:53:24.532 |LogMessage --snip-- EventStatus : Failure --snip-- AuditDetails : Upload certificate cup failed. App ID: Cisco Tomcat Cluster ID: Node ID: SubCUP.server

It seems to be trying to upload the certificate as Self-Signed?

kpfender · ‎01-25-2024

From my experience I was able to work this issue out between myself and one of my colleagues. In case you encounter an upload failure to Tomcat, it is necessary to upload the signing CA and Root certificates to the "tomcat-trust" for successful uploading of the .pem file to the “tomcate”. Work with your certification authority (CA) provider to furnish you with the CA and Root certificates.

Navigate to the Operating System Administration by selecting "Navigation" in the upper right-hand corner. Proceed to the "Security" tab, and from the dropdown menu, select "Certificate Manager." This action will direct you to the Certificate list, where all your certificates are displayed.