Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
5
Replies

CuCM / CuC Tomcat certificate renewal

agup
Level 1
Level 1

‎06-23-2022 12:16 PM

We have upcoming Tomcat certificate renewal. So far it has been a pretty simple process, but this year the CA is saying please do not include 'OU' in the CSR generated as they are now issuing certificates without 'OU' field.

 

Now, when you generate a CSR in CuCM / CuC, there is no way to control what fields are included. So, if I send the CSR with 'OU' field and they CA sends the certificate without 'OU' and then I try to upload that new cert onto the server, will it be accepted or rejected.

I read somewhere in Cisco docs that 'OU field is optional for Cisco UC products' but my questions are -

 

  1. If CSR (with OU) and certificate issued by CA (without OU) mismatch because of the OU field, will it be a problem when we try to upload new certificate to CuCM / CuC? We are running CuCM / CuC 11.5.1 version
  2. If the answer to above question is a Yes. Then what if we get a new root / intermediate / device cert without the OU from Digicert, can we install these when there is an already existing and valid root / intermediate / device cert on the CuCM / CuC? 
0 Helpful
5 Replies 5

collinks2
Level 5
Level 5

‎06-23-2022 12:55 PM

I dont much about "OU" what do you stand to achive with having "OU" in the
Csr? what i use is cucm mutli san certificate.with that you install Tomcat
certificate automatic across all nodes in the cluster.if you want to use
multi san,please remove "ms" in the common name for cucm
0 Helpful

agup
Level 1
Level 1
In response to collinks2

‎06-23-2022 01:28 PM

this is not a MultiSan certificate. This is CA signed Tomcat Certificate for CuCM / CuC Publisher. 

0 Helpful

Roger Kallberg
VIP
VIP

‎06-23-2022 03:34 PM

I don’t think that it would be a problem, but likely you’d won’t know until you try it. On your second question, yes you can upload new CA certs to the trust store. You can have as many different root CA certs as you’d like. However the OU information for your CM does not come from the information in the CA root certificate. That’s a configuration in CM that is made during initial installation.



Response Signature


0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee

‎06-24-2022 01:35 PM

There's an enhancement request for this:

 

F15522 - Make OU as non mandatory part of CSR
CSCwa75870  

 

If the private key from the signed certificate matches that of the CSR, you should have no problem importing the certificate.

HTH

java

if this helps, please rate
0 Helpful

agup
Level 1
Level 1
In response to Jaime Valencia

‎06-27-2022 07:09 AM

Thanks Jaime, 

 

I found that enhancement bug. However that does not solve my issue as we would be able to upgrade the servers from 11.5.1 to 14.x is short period of time at our disposal.

 

However, your other statement is very interesting - to understand it clearly, if we get the certificate without OU from CA, and if the private key of the CSR and new cert match, then we should be good to install it on the servers. Please confirm if my understanding is good.

0 Helpful
Customers Also Viewed These Support Documents