cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
6971
Views
40
Helpful
12
Replies
Joe Costello
Beginner

renewal of Multi-server(SAN) certificate

I need to renew a couple multi-server(SAN) certificates for my enviroment.  Does any one have a good link on the renewal process?  All I could find were how to do them from scratch.  I am uncertain if I need to select the certificate in the GUI and select generate CSR or regenerate CSR.  OR should I just leave those and do a new fresh CSR? 

When i click on generate CSR, it tells me:

"Generating a new CSR for a specific certificate type will overwrite the existing CSR for that type". 

Regenerate gives me a different warning:

Multi-server certificate of this type is already in use.
The current multi-server certificate will be replaced by this single-server certificate. It is recommended that you perform this operation on every server to ensure there is a single certificate of this type for each server.

Any one ever renewed these?

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jaime Valencia
Hall of Fame Cisco Employee

It's pretty much the same as doing this for the first time, no difference, you'll need to generate a CSR, if you already have one, you need to download that CSR and have it signed.

If you're not sure that CSR is the one you want, or with the specs you need, simply create a new one, and the previous one will no longer be valid.

Yes, if you're going from a multi-server, in which you had to generate just a single CSR for all the servers, now you'll need to generate a CSR PER server, have it signed, and then upload to each server.

Again, the renewal process is basically the same as going from self-signed certs to CA signed certs.

HTH

java

if this helps, please rate

View solution in original post

Jaime Valencia
Hall of Fame Cisco Employee

No, that's wrong, generating a CSR will not invalidate any existing certificates, neither self-signed nor CA signed. It also won't generate any system generated cert and use it because you request a CSR, that's also wrong.

Any existing certificates will continue to work, and they only be replaced by another certificate, once you upload the signed server certificate from the current CSR request.

HTH

java

if this helps, please rate

View solution in original post

12 REPLIES 12
Jaime Valencia
Hall of Fame Cisco Employee

It's pretty much the same as doing this for the first time, no difference, you'll need to generate a CSR, if you already have one, you need to download that CSR and have it signed.

If you're not sure that CSR is the one you want, or with the specs you need, simply create a new one, and the previous one will no longer be valid.

Yes, if you're going from a multi-server, in which you had to generate just a single CSR for all the servers, now you'll need to generate a CSR PER server, have it signed, and then upload to each server.

Again, the renewal process is basically the same as going from self-signed certs to CA signed certs.

HTH

java

if this helps, please rate

View solution in original post

Ok, I did this and it worked.  Only had one issue but maybe its because this is a unity cluster and they function different than a CUCM/Presence cluster.  I uploaded the multi-server cert to my primary unity server first and restarted Tomcat, and that one was done and working normally.  I checked the other secondary unity server i have in my cluster and it showed that I had created a CSR from the primary BUT it never got the certificate from the primary for the Tomcat service. Tried restarting Tomcat on the secondary but still didn't get the cert. I thought it was supposed to be pushed to this server from the primary?  Anyway, I uploaded the same cert to the secondary (its a SAN cert), restarted Tomcat, and then it was working normally.  Maybe that expected behavior for a unity cluster?  I am doing my CUCM/Presence Cluster next, hoping it replicates on these ones correctly. 

Thanks for the quick advice and help.

This was the post that helped me out. Just moved to MS-cert for Unity cluster and found it didn't propagate as expected, but uploading the new cert as a Tomcat cert on the secondary server with a restart of the Tomcat service worked.

Is it possible to re-use the same CSRs for the CA to re-sign (if all values remain equal)? Will the phone system take the updated certificates?
Jaime Valencia
Hall of Fame Cisco Employee

No, if you generated a CSR, had it signed, and uploaded the signed certificate, that CSR is no longer available to download, nor it can be re-used. With CUCM and other products that use the same blueprint, they're one time use CSRs.

If you see the option to download a CSR, that means the signed certificate has not been uploaded and you can still use that CSR.

HTH

java

if this helps, please rate

Thanks for the quick reply - that is exactly the clarification I needed.

 

Hi Jamie

 

Just to clarify, I created a Tomcat Multi-server (SAN) certificate  by generating a CSR and took the opportunity to move to SHA256. The CSR was signed by our internal root CA.

The certificate is due to expire, and while the option is there to regenerate, if I select regenerate I get a warning "The current multi-server certificate will be replaced by this single server certificate....

 

Is is not possible to regenerate a multi-server certificate and have it remain a multi-server certificate?

 

Best

No, the self-signed certificates from CUCM are PER SERVER certificates, not multi-SAN certs.

If you want to re-generate it and go back to self-signed certs, that's the way it works.

If you want a multi-SAN cert, you need to generate the CSR and sign it with a CA to then upload it.

HTH

java

if this helps, please rate

Thank you, that was the bit I had mid-understood... regeneration of a certificate, including ones originally signed by an external CA effectively revert them to self -signed. Doh! It makes sense now I think about it!



Richard


Deepak Rawat
Cisco Employee

Adding to what Jaime said, generating a new CSR or regenerating an existing one (pretty much the same thing) will invalidate the existing CA signed certificates and system will automatically start using self signed system generated certificates for the time being. Once you will upload the certificates again signed from the CA for new CSR, simply upload them back and you will be good again then.

Regards

Deepak

Jaime Valencia
Hall of Fame Cisco Employee

No, that's wrong, generating a CSR will not invalidate any existing certificates, neither self-signed nor CA signed. It also won't generate any system generated cert and use it because you request a CSR, that's also wrong.

Any existing certificates will continue to work, and they only be replaced by another certificate, once you upload the signed server certificate from the current CSR request.

HTH

java

if this helps, please rate

View solution in original post

Jamie is right on this part.  I have started the process generating a new CSR and my current certificate is still working normally.  Thanks for all the help and advice, I think this will get me going in the right direction.  I'll update this thread when I complete the process or if I run into anything along the way.

Thanks!

Content for Community-Ad

Spotlight Awards 2021