Problem upload Root and Sub CA to tomcat-trust

oosters-mario · ‎04-22-2021

Hi,

I am in the process of creating new certs for our CUCM Cluster which are expiring in a month.

In preparation : I wanted to upload the new Root CA ad new Sub CA in advance.

Important remark (I think): the old and new CA's have the same Subject Field.

It seems that the new SUB CA certificate replaces the old one. (I can no longer find the old one, which had same common name)

Does this mean that if I would reboot my cluster now that I would have serious tomcat issues as my certificate chain is no longer correct? Can i fix this by simple upload the old SUB CA Certificate again?

Also, I tried to upload the new Root CA as well (which also has same Subject Field as old one). But that simply did nothing. It gives no errors, but when looking at the Certificate Management I see the old Root CA, not the new one that I just tried uploading? Do I need to delete that one first before uploading, if so why did it work for the SUB CA?

Friendly greetings,

Nithin Eluvathingal · ‎04-22-2021

What you mean by sub CA, AFAIK its root and intermediate CA. if your old and new Root/ intermediate CA is same and if the Root/Intermediate certificate is still valid, no need to upload the root/intermediate certificate again.

oosters-mario · ‎04-22-2021

I mean Root and Intermediate CA (Sub CA). These new Certificates have other Serials and other expiration dates. So I consider them new. They have the same common name (Subject Field).

Roger Kallberg · ‎04-22-2021

Do they come from different a CA or is it the same, just updated end date(s)?

oosters-mario · ‎04-22-2021

For the Root CA and Intermediate CA the Serials and Thumbprints are different, BUT the Subject Key Identifier for the old and new one are the same and the Previous CA Certificate Hash of the new (Root/Intermediate) CA contains the thumbprint of the old one. I think this means that the Root/intermediate CA's are based on the previous one. Expiration dates are off course different.

Nithin Eluvathingal · ‎04-22-2021

In preparation : I wanted to upload the new Root CA ad new Sub CA in advance. You can do it at the same time when u upload the new server certificate. Whats advantage you gone get if you upload the root one month before ?

important remark (I think): the old and new CA's have the same Subject Field. The new and old Root/Intermediate certificate, is this from same CA ?

It seems that the new SUB CA certificate replaces the old one. (I can no longer find the old one, which had same common name)

Does this mean that if I would reboot my cluster now that I would have serious tomcat issues as my certificate chain is no longer correct? Can i fix this by simple upload the old SUB CA Certificate again? if the new and old Root/Intermediate is from the same CA, there won't be any issue.

Also, I tried to upload the new Root CA as well (which also has same Subject Field as old one). But that simply did nothing. It gives no errors, but when looking at the Certificate Management I see the old Root CA, not the new one that I just tried uploading? Do I need to delete that one first before uploading, if so why did it work for the SUB CA? Dont delete any existing certificate, upload both new server and root when ready.

oosters-mario · ‎04-23-2021

Well, for starters :If I had done it like you proposed, I would be looking at this CA upload issue during the upgrde time window itself. At least annoying, having no acces to Cisco TAC myself directly, I like to prepare/test ast much as possible in advance.

The new and old root CA use the same keys they have another date and the CA Version Field got bumped from 1.0 to 2.0

If the CSR is signed by the new Intermediate/Root, but I have the new Intermediate together with the old Root CA in the tomcat-trust store. Won't this create issues for the validation of the new SubCA? Maybe not as the "Authority Key Identifier" matches the Subject Key Identifier of the old/new root.... Not sure ....

I guess my biggest issue remains, why cant I upload this new root Certificate?? It worked for the Intermediate but not for the root.

I even tried it using the CLI : set cert import trust tomcat

After pasting the cert, I got the message "Import of trust certificate is successful" back.

But when looking at the trust store : show cert list trust. Nothing has changed...

Using the Certificate Management GUI it is exactly the same issue.

It just doesn't seem to get uploaded, although it says it does when you try.. Bug??

Interesting also is that the other trust certificates that I uploaded all have a timestamp for the "locally uploaded" field (in the certificate GUI)

But the Root CA has no "locally uploaded" field defined when looking at the certificate from the Certificate Management GUI.

(Probably meaning that it was imported from the old configuration when migrationg from CUCM 11.5 to 12.5 or ???)

Anyway, what do you guys think. For me it starts to look as a bug...

oosters-mario · ‎04-28-2021

Update:

It seems that this issue with the Root CA was not only limited to CUCM but also on Presence and Unity Connection.I opened a case with Cisco for this but no real answer came from them. So I just tried some ideas on my least important system : Unity Connection.

In the end, the solution is to just delete the affected Root Certificate and upload the new one. This did not impact my Tomcat as I possibly feared (as long as you don't reboot or restart Tomcat Service).

I also had another issue which was more annoying with my Presence Server.

The Tomcat for Presence went as per usual, but the cup-xmpp procedure did not...Deleting the Root CA or Intermediate CA for the cup-xmpp-trust did not work. After a few minutes it just got synced back.

In the end I solved this cup-xmpp-trust issue by stopping the Intercluster Sync Agent on both Presence Servers. Then manually delete the affected Certificates and upload the new ones. After this I could restart the InterCluster Sync agent again. And off course terminate Presence with a restart off XCP Router.

I hope this helps someone,...