I recently had to replace expired tomcat certs in my CUCM publisher and Unity Connection servers. After generating a CSR and obtaining a Verisign certificates for the servers, I had problems installing the necessary Verisign intermediate and root CA certificates.
The TAC helped me out. Following is a summary of the procedure that worked.
- On the Verisign website there were four CA certs listed under Standard Intranet: primary intermediate, secondary intermediate, RSA root, DSA root
- I downloaded the primary and secondary intermediate and saved as primary_intermediate.cer and secondary_intermediate.cer. I downloaded the RSA root and it saved as pca3-g5.cer.
- Uploaded pca3-g5.cer as Certificate Name tomcat-trust.
- Do not enter anything in the Root Certificate line
- This installed without a problem
- Uploaded secondary intermediate.cer as Certificate Name tomcat-trust
- Got error: Could not parse certificate: java.io.IOException: Unsupported encoding
- I opened the .cer on my Firefox browser and the cert showed fine.
- Selected the Details tab and selected Copy to File
- I selected the DER encoded binary X.509 format and saved the file
- Note that this file still uses .cer as an extension
- Uploaded this to CUCM as tomcat-trust with Root Certificate listed as the name of the RSA root cert that I just loaded. In my case the name was VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem. Cisco TAC indicated that the suffix must be changed from .der to .pem
- Now the cert uploads without a problem
- After doing the same conversion on the primary intermediate cert, attempted to upload as Certificate Name tomcat-trust
- Upload failed with error says it’s a duplicate of the root
- Apparently the primary intermediate cert was a copy of the root, so it wouldn’t load
- This cert is not required
- Now uploaded the new Verisign cert that I had purchased as Certificate Name tomcat.
- Entered the name of the secondary intermediate cert as the Root Certificate, again replacing the suffix with .pem. In my case the name was VeriSign_Class_3_Secure_Server_CA_-_G3.pem
- Restarted tomcat from cli
- Utils service restart tomcat
- On Unity it was
- Utils service restart Cisco Tomcat