Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
5
Helpful
4
Replies

Unity Connection (CUC) root certificate location?

Go to solution
maxmeisel
Level 4
Level 4

‎04-27-2022 08:50 AM

Hello community,

 

any help on this matter is highly appreciated, I hope my findings so far will help already others and I hope we can finalize the information as well. Here is what I got so far:

 

admin:show cert list own
list me all service certificates, trust for trust-store

 

shows me certificate and also PEM format of certificate
admin:show cert own tomcat/tomcat.pem

 

alternatively I can get all UC certificates from own/trust store in PEM format from Database:
admin:run sql select certificate from certificate

 

BUT

 

Cisco Unity Connection Administration:
Telephony Integrations > Security > Root Certificate

this certificate isn't listed there, I don't know how to get that information I see in the Web-GUI to show on CLI.
Unfortunately I haven't found any database scheme documentation, only came across Cisco Utilities Data Link for Informix (CUDLI) which I wasn't able to run and seems outdated for recent CUC version 14.
Doing it manually without being a programmer is a pain ... I started to look at the top level:
run cuc dbquery unitydirdb select tabname from systables
run cuc dbquery unitydyndb select tabname from systables
run cuc dbquery unitymbxdb1 select tabname from systables
run cuc dbquery unityrptdb select tabname from systables
run sql select tabname from systables
but all deeper digging didn't showed me any results.


Does anybody know how to obtain CUC root certificate information through SSH from CLI or knows where it is stored?

 

Thanks and cheers,

Max

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b.winter
VIP
VIP
In response to maxmeisel

‎04-28-2022 01:31 AM

The important question is:

Do you have a secure SIP trunk between CUCM and CUC? If no, then you don't need to monitor this cert.

Because, AFAIK, this is the only purpose, where this root-ca-cert comes into play.

And then, why would I monitor something, that isn't used?

 

And if you have a secure SIP trunk, then you would need to upload this cert to CUCM callmanager-trust.

So, you could monitor it from there.

View solution in original post

4 Replies 4

Go to solution
Roger Kallberg
VIP
VIP

‎04-27-2022 11:12 PM

You can not get the root certificate of any CVOS system if you don’t have root access and this requires TAC assistance. However they will not give you the root certificate as it’s not meant to be able to retrieve it. May I ask what you want it for?



Response Signature


0 Helpful

Go to solution
maxmeisel
Level 4
Level 4
In response to Roger Kallberg

‎04-28-2022 12:29 AM

Hi Roger, thanks for your reply, but I have to disagree you can get and change the root certificate for CUC (which is used for CUCM-CUC secure SIP trunk implementation) so far only by web GUI as I know:

Cisco Unity Connection Administration:
Telephony Integrations > Security > Root Certificate

 

The purpose is, I'm looking for a way to view it from the CLI to implement an automatic check of the certificate parameters. Currently it requires a web hook to receive that information from the web site (see below) as I don't know how to obtain them via CLI, as I can get all other certificates I assume there is also a way for this certificate as well, at least I hope it is also saved in the SQL database? Or at least in a location I can open from the CLI in PEM format like all the other certificates with:

run sql select certificate from certificate

 

Here's a screenshot, as you can see information is given but as mentioned only by web GUI as far as I know:

 

image.png

0 Helpful

Go to solution
b.winter
VIP
VIP
In response to maxmeisel

‎04-28-2022 01:31 AM

The important question is:

Do you have a secure SIP trunk between CUCM and CUC? If no, then you don't need to monitor this cert.

Because, AFAIK, this is the only purpose, where this root-ca-cert comes into play.

And then, why would I monitor something, that isn't used?

 

And if you have a secure SIP trunk, then you would need to upload this cert to CUCM callmanager-trust.

So, you could monitor it from there.

Go to solution
maxmeisel
Level 4
Level 4
In response to b.winter

‎04-29-2022 02:47 AM

Hi b.winter,

 

at least this is a great workaround, the cuc root certificate is limited to be self signed, so we have no chain to struggle with and the cuc root cert is exactly the one that needs to be put in CUCM callmanager trust-store and from there I can get it in PEM format from CLI.

 

Not pretty, but I guess better than nothing, thanks a lot for your input! Still hoping that cuc root might be somewhere in database to be discovered...

 

Cheers,

Max

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents