cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1245
Views
20
Helpful
11
Replies

Annoying Security Certificate errors

jessakhanian
Level 1
Level 1

Hello,

We are trying to figure out how to stop the Security Certificate errors that come up every time you enter the CCMAdmin/CCMuser webpages. We are running CUCM 7.0.2. TAC told us to install the certificate (that's presented by the call manager upon loggin in) on the client machine and then access the website using the FQDN of the server. This works, but that means we have to hit every PC that needs access to these pages. Is there anyting that can be done on the server end with the Security Certificates? Someone told us we should generate a new certificate (or CSR?), download them to a CA server, sign it, and have it re-imported back onto the call manager.

Does this sound righ? Any feedback would be greatly appreciated.

Thanks,

Joseph E.

11 Replies 11

jbayuka
Level 5
Level 5

You may use a Certificate Authority (CA) signed certificate with CallManager. Try the steps:

1. Download the Root Certificate from your CA (rename the file root) and upload it to CUCM's OS administration page as a "Tomcat-Trust" certificate.

2. Generate a CSR and select "Tomcat" for the type.

3. Download the CSR to your PC.

4. Upload the CSR to your CA server to get it signed (you probably can do that through the 3rd party's website).

5. Save the signed certificate from the 3rd party back to your computer.

6. Upload the signed certificate to CallManager from the OS administration page as a "Tomcat" and make sure that you enter in the root certificate field, "root" (what you named the file from step 1, without the quotes).

7. Restart Cisco Tomcat from the CLI (utils service restart Cisco Tomcat).

Hi,

We have installed a cert and root cert from a CA, altough after a Tomcat restart it is still using the original self-signed cert. How do I select which cert is in use or do I just need to delete the self-signed cert and then reboot Tomcar again?

Jason

Make sure you install the certs correctly.

There are two kinds of certs in the cert chain - CA certs and end-entity certs.


For example, the cert represent your box is "cucm01.acme.local".  This is end-entity cert.

"cucm01.acme.local" was issued by a CA called "parent.someCA.com".

"parent.someCA.com" was issued by a CA called "grandparent.someCA.com".  And "grandparent.someCA.com" is the top (root) CA.

In this case, you'll need to do the following to upload the certs:

1) Upload "grandparent.someCA.com" as "Tomcat Trust" cert.

2) Upload "parent.someCA.com" as "Tomcat Trust" cert.

3) Upload "cucm01.acme.local" as "Tomcat" cert.  In the "Root Certificate" field, you should fill in the .pem file name of its parent.  How to find out the .pem file name if the parent?  You may list all the certs on the OS admin page > Security > Certificate Management.

Of course, you need to restart "Cisco Tomcat" after that.

Hope this helps!

Michael

Hi Michael,

Thanks for your reply. this is the process which I followed. I have tried this several times but still the self-signed cert is in use. For reference we are running 7.1.3(b).

When uploading the end-entity cert and entering the CA cert name should the .pem extension be included. E.g. should you enter 'CARoot.pem' or just 'CARoot'

Are there any useful logs which would point to the reason for this not working?

Thanks

Jason

Do you have intermidate CA?  If yes, you should enter the direct issuer, NOT the root CA.

You have to enter the actual file name (including .pem) in the "certificate management" list.  If you could upload some screenshots of your certificate list page from "OS Admin" page, that'll be helpful.

Michael

Hi Micheal,

Thanks, I have tired it both with and with the .pem and still no sucess. We have no intermidate issuer, the cert is issued directly from the root. Please find attached screenshots.

Jason

Didn't see the screenshot. 

Michael

Hi Micheal,

Thanks, I have tired it both with and with the .pem and still no sucess. We have no intermidate issuer, the cert is issued directly from the root. Please find attached screenshots.

Jason

Hi Micheal,

Thanks, I have tired it both with and with the .pem and still no sucess. We have no intermidate issuer, the cert is issued directly from the root. Please find attached screenshots.

Jason

From the screenshot, you made a mistake at step 3.  You should upload it as "Tomcat", not "Tomcat Trust".

Michael

Thanks Michael, that is now working perfectly. It is so obvious now! I thought it did'nt look right.

Thanks for your assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: