It seems that sometimes the

Justin Ferello · ‎02-23-2017

Hey all,

We are in the process of replacing our certs on UCM, CUC & CCX. We are using our own internal CA with has a root and intermediate. Our certs are signed by the intermediate. All our UC products are running 10.5.

I upload the CA root to tomcat-trust, then the CA intermediate to tomcat-trust and finally I upload the server cert to tomcat and I get the following error:
java.security.cert.CertPathBuilderException: Could not build a validated path.

Anyone have any ideas or has anyone else used intermediates with the UC platforms? By the way, this happens on every tomcat on all UC platforms.

When I view the server cert on my Windows desktop; the chain is valid and all the certs in the chain are loaded up. All the certs involved in the chain are SHA256 and 2048 encryption.

We have a TAC case open with Cisco and they just keep telling us the certs are bad... However they cannot tell us why.

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

Jaime Valencia · ‎02-23-2017

It seems that sometimes the order in which you upload those certs can cause problems, apparently someone solved this by uploading the intermediate CA, then generating the CSR, uploaded the server certificate, then uploaded the root CA

Some others followed the same procedure as you, and it worked for them.

In most other cases, the issue was with the signing of the CSR, using root or intermediate certs that were outdated, problems with the signature algorithm, etc.

If you have access to your CA server, have you tried downloading the root and intermediate from there, and compare them to what you uploaded?

Have you tried restarting Tomcat?

HTH

java

if this helps, please rate

Justin Ferello · ‎02-23-2017

Jaime,

Thanks for the information, I have seen that other thread and I don't understand why that would work though, plus all my CSRs are already generate and signed; I would hate to start all over and not even know that it would work 100%.

What I don't understand is how Cisco does not know the correct method to upload the certs or if intermediates are supported or why the UC platform is even denying the certs. They keep telling me my certs are invalid but not what is invalid about them, how can I fix something that I dont know what is wrong with it.

I think the problem has to do with linking, in previous versions of UC software when you uploaded a CA cert there was a field for "root certificate name" which manually linked the intermediate to the root. This field is not available in 10.5 and I think that is the issue.

Yes, I have even restarted the entire servers.

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

refram · ‎05-17-2017

In spite of the fact that I've done this often, I was having a heck of a time getting a new CUCM cluster to accept the certificate I was uploading. This in spite of the fact that I verified that all other certs. in the chain were correctly uploaded as tomcat-trust. I tried Justin's method, though, and it worked. That's 5 stars for you sir.

As an aside, if you need to combine certs. into a single PK7 file, this is a good link. http://www.entrust.net/knowledge-base/technote.cfm?tn=7915

It's expecting that you'll have added the intermediate and root certs. into the Windows store on your personal computer.

Justin Ferello · ‎02-24-2017

For anyone that runs into this issue, I figured it, no thanks to Cisco :)

You need to combine the server cert, intermediate and root into a PK7 file.

You can combine them in Windows using the built in crypto extension.

For example when trying to load a 3 tier cert to tomcat, do not load anything into tomcat-trust store; just upload the PK7 directly to the tomcat store and the UC platform will put the root and intermediate into the tomcat-trust store automatically.

Thanks,
Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

UC Platform Cert Issue