cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18052
Views
115
Helpful
15
Replies

CUCM 11.5 // Certificate expiration Feb 2020 : VeriSign_Class_3_Secure_Server_CA_-_G3

Hello

 

On my CUCM servers I see that the following certificate ( VeriSign_Class_3_Secure_Server_CA_-_G3) goes to expire on Feb,2020.

So I would like to know what is the goal (usage ) of this certicate ?

And how I can renew ( replace ) this certificate ?

It's really importante to replace it or not ?

I understand this certicate is automaticvally implement by Cisco during the CUCM installation.

Also I have the same certificate UCCX solution.

Many thanks for your help.

Regards,

Christophe/

 

1 Accepted Solution

Accepted Solutions

Chris Deren
Hall of Fame
Hall of Fame

It's a public cert installed in Tomcat-Trust that comes pre-installed on Cisco apps for "Call Home Server Certificate" feature in case you need to communicate with Cisco Home server.  If you are not using that feature you do not require this cert and can just remove it.  If you need it you'll need to download the new root cert from VeriSign and install into Tomcat-trust.  

View solution in original post

15 Replies 15

Chris Deren
Hall of Fame
Hall of Fame

It's a public cert installed in Tomcat-Trust that comes pre-installed on Cisco apps for "Call Home Server Certificate" feature in case you need to communicate with Cisco Home server.  If you are not using that feature you do not require this cert and can just remove it.  If you need it you'll need to download the new root cert from VeriSign and install into Tomcat-trust.  

Hi Chris,

 

Thanks for your answer.

Perfect for my comprehension.

Have good day.

Christophe/

 

Hi Chris,

Is this documented somewhere? I've been looking for the past month.

Hi Chris,

as we are facing the same issue an we are unsure about the call home feature could you provide a documentation about the call home server and its usage. Furthermore is there any way to verify the use of a certificate by a trace or report etc.

Thanks in advance
BR
Michael

Hi Chris,

I have got the same expiration notification on our Call Manager. I would like to renew the VeriSign_Class_3_Secure_Server_CA_-_G3 certificate. Would you please let me know where I can download it.

I only found the root certificates to download on the Symantec web site.

Thanks in advance

Vitali

You can use 

 

-----BEGIN CERTIFICATE-----

MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB

yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp

U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW

ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0

aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw

CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV

BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs

YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb

A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW

9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu

s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T

L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK

Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T

AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu

Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw

HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg

hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v

Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG

A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E

FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz

Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny

H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W

Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG

QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t

TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY

Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=

-----END CERTIFICATE-----

 

from https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_5_1SU1/adminGd/cucm_b_administration-guide-1251SU1/cucm_b_test-adminguide_chapter_010101.html#CUCM_RF_S51EEA0B_00

Has anyone had any luck with this? I followed the instructions outlined - saved as a .pem file, uploaded to call manager (which said it was successful), then restarted tomcat services as instructed by call manager.  After service restart, the only copy of this certificate is this nearly expired one.  Do I need to remove the old certificate first?  

You need to delete the old certificate and then or before (does not matter as long as CN on cert is different) upload the new one into the tomcat-trust store.

I have: 

 

  1. Deleted the old certificate from call manager
  2. Restarted tomcat service using "utils service restart Cisco Tomcat"
  3. Copied the text from the linked guide, pasted it into notepad, removed extra line breaks and saved it as whatever.pem
  4. Uploaded whatever.pem into call manager as a Tomcat-Trust certificate 
  5. Restarted tomcat service using "utils service restart Cisco Tomcat"

I still do not have the new VeriSign_Class_3_Secure_Server_CA_-_G3  Did I miss something?

 

According to SSL cert decoder the CN of the cert posted in the doc is "QuoVadis Root CA 2", do you not see that?

Remember the name of the cert is not that important, it's what trust store it's on that establishes the trust and how other trusted certs use it.  When you upload the cert you can always add description to make it easier for yourself to find it later in CUCM.

Hi Chris,

 

In the following Bug ID, there was a description for PLM in addition to CUCM.
There was a statement that PLM was the only way to remove providing COP files.

 

Bug ID: CSCvs64158

 

Can I check if the certificate corresponding to PLM is included or deleted?

For example, can it be confirmed with CLI commands?

I believe the reference is for standalone PLM server. If you are running standalone reference and need to or want to renew the cert you would need to follow that workaround.  If your PLM is colocated with another node such as CUCM then the documented procedure for CUCM applies.

Thanks.
It worked

Thanks for your answer.

PLM is located in the same location as CUCM, so I will follow the steps of CUCM.