Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
S N
New Member

CUCM - Tomcat.der certificate expired

 

 I got an RTMT alert related to tomcat.der certificate expired.

 

 At Mon Aug 04 21:00:16 CDT 2014 on node 10.203.12.10, the following SyslogSeverityMatchFound events generated: 

SeverityMatch : Critical

MatchedEvent : Aug  4 21:00:01 CUCM01 local7 2 : 195: CUCM01.TEST.COM: Aug 05 2014 02:00:01.21 UTC :  %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name:tomcat.der Unit:tomcat Type:own-cert Expiration:Wed Aug 6 14:42:00:000 CDT ][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=CUCM01]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID : 

NodeID : CUCM01

 Could you please help me how to solve this problem.

 

Regards

Sathya

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Regenerate the certificate if

Regenerate the certificate if it's self signed, or generate a new CSR and have your CA sign it, then upload it.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
7 REPLIES
Cisco Employee

Regenerate the certificate if

Regenerate the certificate if it's self signed, or generate a new CSR and have your CA sign it, then upload it.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
S N
New Member

 Thanks Jaime. How can I find

 Thanks Jaime.

 How can I find whether the previous certificate is self signed or not.

Please confirm

1. whether the new certificate can be upload after the previous certificate is expired, will there be any problem.

2. Any services or server needs to be rebooted.

3. How can we verify whether the certificates are proper.

 

Regards

Sathya

How can I find whether the

How can I find whether the previous certificate is self signed or not.

Two methods:

 

1 - Go to OS Administration ( https://SERVER/cmplatform/ )  and login. (Remember, this is the operating system ID and password and NOT the ID/Password you use to login to ccmadmin with.) Go to Security -> Certificate Management and click find. This will list all your certificates. The tomcat one is usually at the top. The right hand column will tell you if it's self-signed or not.

2 - Go to https://SERVER/cmplatform (no need to login) and click on the padlock to examine the certificate.

 

whether the new certificate can be upload after the previous certificate is expired, will there be any problem.

 

You can replace a certificate any time you want. You don't have to replace an expired certificate - but it's good practise too. (And it stops those annoying emails too!)

 

Any services or server needs to be rebooted.

 

For the Tomcat certificate, you have to restart the Tomcat service. This can only be done from the server CLI. So either login to the console, or SSH in (again, with the operating system ID & password) and type the command "utils service restart Cisco Tomcat" (NOTE: This is CaSe SeNsItIvE) Whilst this is restarting, all the web apps (ccmadmin, cmplatform, etc.) will be offline.

 

How can we verify whether the certificates are proper.

 

Not sure what you mean by this. If you mean: "How can I be sure the server is using the new certificate?" go to https://SERVER/ccmadmin and in your browser click the padlock to examine the certificate. HINT: You *may* have to restart your browser for it to notice the certificate change.

 

GTG

Please rate all helpful posts.
S N
New Member

Thanks for the explanation

Thanks for the explanation.

Last doubt : What is the impact if the certificate got expired.

Regards

Sathya

Annoying emails and people

Annoying emails and people getting scary Certificate Expired warnings.

 

GTG

Please rate all helpful posts.
New Member

HiCan anyone helpinHow can we

Hi

Can anyone helpin

How can we Regenerate the certificate if it's self signed, or

How to generate a new CSR and have your CA sign it, then upload it. -

How can we Regenerate the

How can we Regenerate the certificate if it's self signed,

Click the "Generate Self-Signed" button in OS Administration -> Security -> Certificate Management

How to generate a new CSR and have your CA sign it, then upload it

Click the "Generate CSR" button. Once complete, click the "Download CSR" button.  Give the downloaded CSR to your CA. They'll return your signed certificate. In OS Administration -> Security -> Certificate Management then click "Upload Certificate/Certificate Chain"

 

GTG

Please rate all helpful posts.
1487
Views
13
Helpful
7
Replies
CreatePlease to create content