CCMUser Page - certificate error - CUCM 5.1.3

mdoney2e2 · ‎03-05-2009

Hi,

I'm trying to remove the certificate error message on the CCMUser web page, when you first access the page. Is there any way to make the ccmuser page not require certificates i.e http rather than https ? Alternatively is there a way to use a CA to resolve the certificate ? We have made some progress with trying using a CA but have run into stumbling blocks. The documentation refers to x.509 extensions which need to be modified but doesn't make clear where this can be done ?

We are using CUCM 5.1.3 and Internet Explorer 7. Any help / pointers would be appreciated.

htluo · ‎03-05-2009

First of all, the "certificate warning" is web browser specific. e.g. if you were running IE6, you probably wouldn't even notice it.

The warning means: "this web site has a certificate, but I don't trust the issuers of the certificate"

By default, CUCM generate a self-singed certificate, which the issuer is itself. You may view the certificate from web browser and add it to the web browser's trust store.

If you'd rather use a 3rd-party certificate, you need to follow the steps below:

1) Make sure your CallManager has proper DNS name set up.

Use CLI command 'show status' to see the host name

Use CLI command 'show network eth0' to see the domain name.

If you do not have the domain name set, use CLI command 'set network domain' to set a valid domain name for the CallManager.

2) Make sure your DNS server has an entry for your CallManager. Make sure the hostname/domain name matches what you see in step 1). Make sure you can access the CallManager CCMAdmin page by DNS name (e.g. https://cmpub.acme.com)

3) Download a CA certificate from your CA server (Encodeing method: Base 64). Save it to your workstation (e.g. save as 'CARoot.cer')

4) Go to CallManager OS Administration web page -> Security -> Certificate Management -> Upload Certificate/CTL -> Upload Trust Cert -> tomcat-trust (leave the Root Cert Name blank) -> Browse to the file you downloaded in step 3) and click 'Upload'.

5) Go to CallManager OS Administration web page -> Security -> Certificate Management -> Download/Generate CSR -> choose tomcat and 'Generate a new CSR' -> Next.

6) Go to CallManager OS Administration web page -> Security -> Certificate Management -> Download/Generate CSR -> choose tomcat and 'Download CSR if any'. -> click on the 'continue' link -> right-click on tomcat.csr and save the csr file.

7) Get this csr to your CA server and let the CA issue a certificate. Save the certificate (e.g. 'ccm.cer')

8) Go to CallManager OS Administration web page -> Security -> Certificate Management -> Upload Certificate/CTL -> Upload Own Cert -> choose tomcat and put the file name you use in step 3 into 'Root Cert Name' (without any extension. e.g. 'CARoot') -> Browse to the file you got from step 7 and click 'Upload'.

9) Go to CallManager Serviceability web page -> Tools -> Control Center-network services -> restart 'Cisco Tomcat' (the web service).

Michael

http://htluo.blogspot.com/

mdoney2e2 · ‎03-05-2009

Thanks ever so much Michael for the detailed response. I'll follow these steps and update this thread, thankyou.

mdoney2e2 · ‎03-06-2009

Hi Mike, we followed this and it helped immensely. We now have the web pages coming up without a certificate problem. Can't thank you enough for your help.

Best regards

Mark.

Jason Nash · ‎02-18-2010

As far as I can see I have followed this exact procedure on CUCM 7.1.3(b) but after restarting the Tomcat service the original self-signed cert is still in use. I can see the new cert and root cert in the list but it is just not in use.

I thought perhaps I had to remove the orignal sefl-signed cert but there is no option to delete.

Am I missing something, is there anything else I can check?

gpworld · ‎10-04-2011

I am running into a similar problem. However when I try to upload the new Tomcat Certificate I get the error "TBSCertificateStructure contains no X509 extensions". I am at a lost and any help would be appreciated.

Thanks!