Uploading Certs Between CallManagers?

Matthew Martin · ‎08-26-2016

Hello All,

CallManagers (*1 Pub and 2 Subs): v10.5(2)

While logged into CUCM-03's Servicibility page I am unable to access CUCM-01 or CUCM-02's Network Services page. I receive the error below:

"Connection to the Server cannot be established(Certificate Exception)"

So checking in the Certificate Management page of CUCM-03, I can see there are a few expired CallManager-trust Certs for CUCM-01 & CUCM-02. FYI, If I log into CUCM-01 and/or CUCM-02 I can view all 3 CallManager's services without issue.

So my question is, what Certificate do I need to upload from each of the other 2 CallManagers in order to get this working again on CUCM-03?

Do I just need to download CUCM-01/02's Cert that is just labeled: "CallManager" under the Certificate column...? Then upload both .pem files to CUCM-03 as "CallManager-trust" certs?

If that's what I need to do, the filenames of those 2 certs are just called "CallManager.pem". So would I need to rename those 2 certs from CUCM-01 and CUCM-02 to something other then just "CallManager.pem", since they would both have the same filename?

Any thoughts or suggestions would be greatly appreciated.

Thanks in Advance,
Matt

Varundeep Chhatwal · ‎08-26-2016

For these kind of issues , you generally need to collect cucm admin logs in debug level and it would clearly tell whats going wrong. But as you said call manager certs are expired then i wud suggest you to upload them on call manager03 as a trust. Now regarding the naming comvention of certs i dont think it wud make any difference. It only depends on the CN value inside the cert. Also please do check the status of tomcat certificates as well for all respective servers.

Matthew Martin · ‎08-26-2016

Hey Varundeep, thanks for your reply, much appreciated.!

Before I got your reply, I started going through each of the "tomcat" Certs on each of the 3 CUCM servers and the Serial Numbers inside those certs were not matching up to what the "tomcat-trust" certs were showing in CUCM-03.

So just to be safe, I decided to Regenerate each "tomcat" cert on each of the 3 CUCM servers. After I did that it looks like the newly generated tomcat Cert got automatically uploaded to each of the other CUCMs as "tomcat-trust" Certs. And to verify this I checked into each of the tomcat and tomcat-trust certs, and the Serial numbers were now matching up to each of the respective Certificates on all 3 CUCMs.

I then restarted the Cisco Tomcat service on all 3 CUCMs, and about 5 minutes later, everything is now working as it should.

Thanks Again,
Matt

Varundeep Chhatwal · ‎08-26-2016

Great. Its actually the responsibility of tomcat service to let you navigate from serviceability page of one server to another. Thats why i requested you to check tomcat certs as well.

Matthew Martin · ‎08-26-2016

Yea, you were correct for the tomcat certs... After a lot more digging online that's what I had found out about the tomcat certs and that issue I was seeing...

Not sure if this is too off topic, but to get rid of the Security error/warning that you see once you navigate to "https://<cucm-ip>/" and you get the security error. Is that something where you need to run the Generate CSR from CUCM > OS Admin > Cert Management. And then submit that CSR to an internal Windows CA-Server?

Or, do you happen to know of any good Guides that are out there, specific to Unified Communications servers and that issue I described above... We recently just got our first Windows CA server, and I was hoping I could fix that security error with it.

If not, that ok. And thanks again for your comments on this discussion.

Thanks Again,
Matt

Varundeep Chhatwal · ‎08-26-2016

Incase you want your windows browser to not show the certificate error while opening cucm admin page then download the tomcat certificate from cucm server and install/deploy it in the enterprise trust store of your PC. If your tomcat certs are signed by CA then you have to install/deploy the CA root cert in enterprise trust store of PC.