
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2022 08:50 AM
Hello community,
any help on this matter is highly appreciated, I hope my findings so far will help already others and I hope we can finalize the information as well. Here is what I got so far:
admin:show cert list own
list me all service certificates, trust for trust-store
shows me certificate and also PEM format of certificate
admin:show cert own tomcat/tomcat.pem
alternatively I can get all UC certificates from own/trust store in PEM format from Database:
admin:run sql select certificate from certificate
BUT
Cisco Unity Connection Administration:
Telephony Integrations > Security > Root Certificate
this certificate isn't listed there, I don't know how to get that information I see in the Web-GUI to show on CLI.
Unfortunately I haven't found any database scheme documentation, only came across Cisco Utilities Data Link for Informix (CUDLI) which I wasn't able to run and seems outdated for recent CUC version 14.
Doing it manually without being a programmer is a pain ... I started to look at the top level:
run cuc dbquery unitydirdb select tabname from systables
run cuc dbquery unitydyndb select tabname from systables
run cuc dbquery unitymbxdb1 select tabname from systables
run cuc dbquery unityrptdb select tabname from systables
run sql select tabname from systables
but all deeper digging didn't showed me any results.
Does anybody know how to obtain CUC root certificate information through SSH from CLI or knows where it is stored?
Thanks and cheers,
Max
Solved! Go to Solution.
- Labels:
-
UC Applications
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2022 01:31 AM
The important question is:
Do you have a secure SIP trunk between CUCM and CUC? If no, then you don't need to monitor this cert.
Because, AFAIK, this is the only purpose, where this root-ca-cert comes into play.
And then, why would I monitor something, that isn't used?
And if you have a secure SIP trunk, then you would need to upload this cert to CUCM callmanager-trust.
So, you could monitor it from there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2022 11:12 PM
You can not get the root certificate of any CVOS system if you don’t have root access and this requires TAC assistance. However they will not give you the root certificate as it’s not meant to be able to retrieve it. May I ask what you want it for?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2022 12:29 AM
Hi Roger, thanks for your reply, but I have to disagree you can get and change the root certificate for CUC (which is used for CUCM-CUC secure SIP trunk implementation) so far only by web GUI as I know:
Cisco Unity Connection Administration:
Telephony Integrations > Security > Root Certificate
The purpose is, I'm looking for a way to view it from the CLI to implement an automatic check of the certificate parameters. Currently it requires a web hook to receive that information from the web site (see below) as I don't know how to obtain them via CLI, as I can get all other certificates I assume there is also a way for this certificate as well, at least I hope it is also saved in the SQL database? Or at least in a location I can open from the CLI in PEM format like all the other certificates with:
run sql select certificate from certificate
Here's a screenshot, as you can see information is given but as mentioned only by web GUI as far as I know:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2022 01:31 AM
The important question is:
Do you have a secure SIP trunk between CUCM and CUC? If no, then you don't need to monitor this cert.
Because, AFAIK, this is the only purpose, where this root-ca-cert comes into play.
And then, why would I monitor something, that isn't used?
And if you have a secure SIP trunk, then you would need to upload this cert to CUCM callmanager-trust.
So, you could monitor it from there.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2022 02:47 AM
Hi b.winter,
at least this is a great workaround, the cuc root certificate is limited to be self signed, so we have no chain to struggle with and the cuc root cert is exactly the one that needs to be put in CUCM callmanager trust-store and from there I can get it in PEM format from CLI.
Not pretty, but I guess better than nothing, thanks a lot for your input! Still hoping that cuc root might be somewhere in database to be discovered...
Cheers,
Max
