06-06-2016 04:58 PM - edited 03-19-2019 11:11 AM
I need to renew a couple multi-server(SAN) certificates for my enviroment. Does any one have a good link on the renewal process? All I could find were how to do them from scratch. I am uncertain if I need to select the certificate in the GUI and select generate CSR or regenerate CSR. OR should I just leave those and do a new fresh CSR?
When i click on generate CSR, it tells me:
"Generating a new CSR for a specific certificate type will overwrite the existing CSR for that type".
Regenerate gives me a different warning:
Multi-server certificate of this type is already in use.
The current multi-server certificate will be replaced by this single-server certificate. It is recommended that you perform this operation on every server to ensure there is a single certificate of this type for each server.
Any one ever renewed these?
Thanks
Solved! Go to Solution.
06-06-2016 06:17 PM
It's pretty much the same as doing this for the first time, no difference, you'll need to generate a CSR, if you already have one, you need to download that CSR and have it signed.
If you're not sure that CSR is the one you want, or with the specs you need, simply create a new one, and the previous one will no longer be valid.
Yes, if you're going from a multi-server, in which you had to generate just a single CSR for all the servers, now you'll need to generate a CSR PER server, have it signed, and then upload to each server.
Again, the renewal process is basically the same as going from self-signed certs to CA signed certs.
06-07-2016 01:13 PM
No, that's wrong, generating a CSR will not invalidate any existing certificates, neither self-signed nor CA signed. It also won't generate any system generated cert and use it because you request a CSR, that's also wrong.
Any existing certificates will continue to work, and they only be replaced by another certificate, once you upload the signed server certificate from the current CSR request.
06-06-2016 06:17 PM
It's pretty much the same as doing this for the first time, no difference, you'll need to generate a CSR, if you already have one, you need to download that CSR and have it signed.
If you're not sure that CSR is the one you want, or with the specs you need, simply create a new one, and the previous one will no longer be valid.
Yes, if you're going from a multi-server, in which you had to generate just a single CSR for all the servers, now you'll need to generate a CSR PER server, have it signed, and then upload to each server.
Again, the renewal process is basically the same as going from self-signed certs to CA signed certs.
06-08-2016 10:06 AM
Ok, I did this and it worked. Only had one issue but maybe its because this is a unity cluster and they function different than a CUCM/Presence cluster. I uploaded the multi-server cert to my primary unity server first and restarted Tomcat, and that one was done and working normally. I checked the other secondary unity server i have in my cluster and it showed that I had created a CSR from the primary BUT it never got the certificate from the primary for the Tomcat service. Tried restarting Tomcat on the secondary but still didn't get the cert. I thought it was supposed to be pushed to this server from the primary? Anyway, I uploaded the same cert to the secondary (its a SAN cert), restarted Tomcat, and then it was working normally. Maybe that expected behavior for a unity cluster? I am doing my CUCM/Presence Cluster next, hoping it replicates on these ones correctly.
Thanks for the quick advice and help.
10-17-2017 03:47 AM
03-10-2020 01:27 PM
03-10-2020 02:39 PM
No, if you generated a CSR, had it signed, and uploaded the signed certificate, that CSR is no longer available to download, nor it can be re-used. With CUCM and other products that use the same blueprint, they're one time use CSRs.
If you see the option to download a CSR, that means the signed certificate has not been uploaded and you can still use that CSR.
03-10-2020 04:09 PM
Thanks for the quick reply - that is exactly the clarification I needed.
05-29-2018 04:56 AM
Hi Jamie
Just to clarify, I created a Tomcat Multi-server (SAN) certificate by generating a CSR and took the opportunity to move to SHA256. The CSR was signed by our internal root CA.
The certificate is due to expire, and while the option is there to regenerate, if I select regenerate I get a warning "The current multi-server certificate will be replaced by this single server certificate....
Is is not possible to regenerate a multi-server certificate and have it remain a multi-server certificate?
Best
05-29-2018 07:40 AM
No, the self-signed certificates from CUCM are PER SERVER certificates, not multi-SAN certs.
If you want to re-generate it and go back to self-signed certs, that's the way it works.
If you want a multi-SAN cert, you need to generate the CSR and sign it with a CA to then upload it.
05-29-2018 08:00 AM
06-06-2016 07:24 PM
Adding to what Jaime said, generating a new CSR or regenerating an existing one (pretty much the same thing) will invalidate the existing CA signed certificates and system will automatically start using self signed system generated certificates for the time being. Once you will upload the certificates again signed from the CA for new CSR, simply upload them back and you will be good again then.
Regards
Deepak
06-07-2016 01:13 PM
No, that's wrong, generating a CSR will not invalidate any existing certificates, neither self-signed nor CA signed. It also won't generate any system generated cert and use it because you request a CSR, that's also wrong.
Any existing certificates will continue to work, and they only be replaced by another certificate, once you upload the signed server certificate from the current CSR request.
06-07-2016 01:13 PM
Jamie is right on this part. I have started the process generating a new CSR and my current certificate is still working normally. Thanks for all the help and advice, I think this will get me going in the right direction. I'll update this thread when I complete the process or if I run into anything along the way.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: