Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Fail to install a trusted(SSL) certificate on CUCM 10.5

Hi Guys,

I have generated CSR from CUCM and have got it signed by CA.:

There are two kinds of certs in the cert chain - CA certs and end-entity certs. For example, the cert represent your box is "cucm01.acme.local". This is end-entity cert.

"cucm01.acme.local" was issued by a CA called "parent.someCA.com".
"parent.someCA.com" was issued by a CA called "grandparent.someCA.com".

And "grandparent.someCA.com" is the top (root) CA.
 

 I'm trying to upload the signed CA by following steps:

1.Upload "grandparent.someCA.com" as "Tomcat Trust" cert.
2.Upload "parent.someCA.com" as "Tomcat Trust" cert.
3. Upload "cucm01.acme.local" as "Tomcat" cert. In the "Root Certificate" field, you should fill in the .pem file name of its parent.on the OS admin page > Security > Certificate Management.
 

 

The issue is on step 3, I couldn't find any  "Root Certificate" field in both "Tomcat" cert and "Tomcat Trust" cert.  Please see attached screenshot.

 

Is there any step I missed or wrong?

 

Please advise,

 

Thanks,

Cherry

9 REPLIES

This is no longer a

This is no longer a requirement. You can upload the cert to the tomcat store without specifying the root certs.

Please rate useful posts.
New Member

I uploaded all *.cer to

I uploaded all *.cer to tomcat-trust, restart tomcat service, still not working.

 

Did you upload the tomcat

Did you upload the tomcat cert as well? You need to upload the root/intermediate certs to the tomcat-trust store and then upload the signed CA cert to the tomcat store and restart the tomcat service..

Please rate useful posts.
New Member

I uploaded the root

I uploaded the root/intermediate certs to tomcat trust, but I couldn't upload the singed CA cert to tomcat store, please see the errors attached.

 But with same singed CA cert, I'm able to upload to tomcat trust. So it looks not cert issue.

 

 

Looks like you didnt generate

Looks like you didnt generate a CSR. You will have to click Generate CSR, select Tomcat. This will generate a CSR , download this and send it to the CA to be signed. Once u get the signed cert, upload it to the tomcat store.
Please rate useful posts.
New Member

 I do generated the CSR for

 I do generated the CSR for pub and sub. The only thing I suspect is whether the signed CA is the correct one. How could I recognize the signed CA is really for the orignal CSR since I generated all pub and sub CSR.

This is error I got from publisher, but didn't try to upload it into any subscriber.

Ya it looks like the CSR

Ya it looks like the CSR somehow got deleted per the screenshot you sent. I would regenerate the CSR and sign the certs once more. 

Please rate useful posts.

Could you explain what is not

Could you explain what is not working?
Please rate useful posts.
New Member

when I try to access CUCM

when I try to access CUCM with its hostname, it still shows "There is a problem with this website's security certificate."

I click errors to view the details. It shows."This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."


But I have opened the root CA and installed them into Trusted Root Certification Authorities.


 

977
Views
5
Helpful
9
Replies