03-05-2009 12:04 AM - edited 03-15-2019 04:38 PM
Hello,
We are trying to figure out how to stop the Security Certificate errors that come up every time you enter the CCMAdmin/CCMuser webpages. We are running CUCM 7.0.2. TAC told us to install the certificate (that's presented by the call manager upon loggin in) on the client machine and then access the website using the FQDN of the server. This works, but that means we have to hit every PC that needs access to these pages. Is there anyting that can be done on the server end with the Security Certificates? Someone told us we should generate a new certificate (or CSR?), download them to a CA server, sign it, and have it re-imported back onto the call manager.
Does this sound righ? Any feedback would be greatly appreciated.
Thanks,
Joseph E.
03-11-2009 11:12 AM
You may use a Certificate Authority (CA) signed certificate with CallManager. Try the steps:
1. Download the Root Certificate from your CA (rename the file root) and upload it to CUCM's OS administration page as a "Tomcat-Trust" certificate.
2. Generate a CSR and select "Tomcat" for the type.
3. Download the CSR to your PC.
4. Upload the CSR to your CA server to get it signed (you probably can do that through the 3rd party's website).
5. Save the signed certificate from the 3rd party back to your computer.
6. Upload the signed certificate to CallManager from the OS administration page as a "Tomcat" and make sure that you enter in the root certificate field, "root" (what you named the file from step 1, without the quotes).
7. Restart Cisco Tomcat from the CLI (utils service restart Cisco Tomcat).
02-18-2010 03:27 AM
Hi,
We have installed a cert and root cert from a CA, altough after a Tomcat restart it is still using the original self-signed cert. How do I select which cert is in use or do I just need to delete the self-signed cert and then reboot Tomcar again?
Jason
02-18-2010 05:57 AM
Make sure you install the certs correctly.
There are two kinds of certs in the cert chain - CA certs and end-entity certs.
For example, the cert represent your box is "cucm01.acme.local". This is end-entity cert.
"cucm01.acme.local" was issued by a CA called "parent.someCA.com".
"parent.someCA.com" was issued by a CA called "grandparent.someCA.com". And "grandparent.someCA.com" is the top (root) CA.
In this case, you'll need to do the following to upload the certs:
1) Upload "grandparent.someCA.com" as "Tomcat Trust" cert.
2) Upload "parent.someCA.com" as "Tomcat Trust" cert.
3) Upload "cucm01.acme.local" as "Tomcat" cert. In the "Root Certificate" field, you should fill in the .pem file name of its parent. How to find out the .pem file name if the parent? You may list all the certs on the OS admin page > Security > Certificate Management.
Of course, you need to restart "Cisco Tomcat" after that.
Hope this helps!
Michael
02-18-2010 06:21 AM
Hi Michael,
Thanks for your reply. this is the process which I followed. I have tried this several times but still the self-signed cert is in use. For reference we are running 7.1.3(b).
When uploading the end-entity cert and entering the CA cert name should the .pem extension be included. E.g. should you enter 'CARoot.pem' or just 'CARoot'
Are there any useful logs which would point to the reason for this not working?
Thanks
Jason
02-18-2010 06:25 AM
Do you have intermidate CA? If yes, you should enter the direct issuer, NOT the root CA.
You have to enter the actual file name (including .pem) in the "certificate management" list. If you could upload some screenshots of your certificate list page from "OS Admin" page, that'll be helpful.
Michael
02-18-2010 06:37 AM
Hi Micheal,
Thanks, I have tired it both with and with the .pem and still no sucess. We have no intermidate issuer, the cert is issued directly from the root. Please find attached screenshots.
Jason
02-18-2010 06:40 AM
Didn't see the screenshot.
Michael
02-18-2010 06:42 AM
02-18-2010 06:41 AM
Hi Micheal,
Thanks, I have tired it both with and with the .pem and still no sucess. We have no intermidate issuer, the cert is issued directly from the root. Please find attached screenshots.
Jason
02-18-2010 06:58 AM
From the screenshot, you made a mistake at step 3. You should upload it as "Tomcat", not "Tomcat Trust".
Michael
02-18-2010 07:27 AM
Thanks Michael, that is now working perfectly. It is so obvious now! I thought it did'nt look right.
Thanks for your assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide