Showing results for 
Search instead for 
Did you mean: 

ILS works without exchanging the certs


According to Cisco guide if you have 'use tls certificates' the only option checked off then you must exchange tomcat certs between the publisher of hub and spoke cluster.

Recently in my lab server the tomcat cert expired and i had uploaded new CA cert both on hub and spoke a month back and still I can see the ILS last contact time updating without any issues. Please see below screenshots, below is the cert of hub cluster with the expiry

Below is the list of certs in spoke cluster with hostname: edipvluccmlab01 tomcat-trust list, the cert that i have of hub cluster is an expired one

Below is the snapshot of ILS configuration from spoke cluster, you can see i've just the TLS certificate check box ticked.


i was expecting it to show like below, which is from another cluster




3 Replies 3

Roger Kallberg
VIP Expert VIP Expert
VIP Expert

Looks like you use CA signed certificates. With this your CM nodes will have the CA root and if applicable intermediate certificates in the tomcat trust store and with this you don’t need to exchange the tomcat certificate between your nodes.

Response Signature

that is applicable when you have both use TLS certs and use password checked off , not when you have just use TLS certificates option checked off


since the ILS should have broken logically, i thought to restart ILS and see what happens and as soon as i restarted ILS, the connection brokebroke.JPG


I've finally opened a TAC case and they have asked for logs to find out the cause for this behavior

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers