CUCM CA generated Certificate - how to get access to private key

woodsbc · ‎07-17-2009

My management is wanting me to get rid of the certificate error messages when users access the CCMUser website. We are running CUCM 7.0(2).

I think I understand the instructions for generating the CSR and uploading the CA generated certificate as well as the CA's own certificate.

My question is what if I have to rebuild the system (with the same name) due to a system dying? If I understand correctly, I would need access to the private key in order to re-import the CA generated certificate. Where would I get a hold of that private key for secure storage in that situation.

Thanks.

Brian

ivillegas · ‎07-23-2009

Certificates are not replicated because they are something that is specific to the server. Even though you normally won't run into any security issues by re-using a certificate, best practice recommendations for PKI require each server to have its own certificate, and strongly recommend a new certificate for a server rebuild.

If the CSR and private key were generated by ACS, then it will be in a file already.

If the certificate was entirely generated on the CA server, then the private key is in Windows storage along with the certificate.

You can double-click on enclosed file to get into certificate storage on your machine, and export the certificate as a PFX file, which includes the private key. Make sure to mark it exportable, and NOT turn on strong key protection. It is advisable to protect it with a lengthy password.

htluo · ‎07-23-2009

CUCM DRS will back up the certificates.

If you're asking the physical location, it's at /usr/local/platform/.security/tomcat/keys

Michael

http://htluo.blogspot.com