[cisco-voip] Certificate question

Heim, Dennis Dennis.Heim at wwt.com
Thu Jan 2 12:17:08 EST 2014


It's the actual tomcat cert that will change the license in my experience. I believe the goal in this thread is to get rid of the SSL warning message when hitting the cucm web page, which will require a CA signed certificate.

Dennis Heim | Solution Architect (Collaboration)
World Wide Technology, Inc. | 314-212-1814

PS Engineering:  Innovate & Ignite.


From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: Thursday, January 02, 2014 11:22 AM
To: Heim, Dennis; Angel Roberto Castaneda
Cc: cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Certificate question

Dennis,

It shouldn't change the license MAC just for uploading a CA-signed certificate.  I just tried it on my lab 8.6.2 cluster and the license MAC didn't change.

Brian

From: Heim, Dennis [mailto:Dennis.Heim at wwt.com]
Sent: Thursday, January 02, 2014 11:04 AM
To: Brian Meade (brmeade); Angel Roberto Castaneda
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Certificate question

If you are on releases prior to ELM, its going to cause your license mac to change.

Dennis Heim | Solution Architect (Collaboration)
World Wide Technology, Inc. | 314-212-1814

PS Engineering:  Innovate & Ignite.


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Brian Meade (brmeade)
Sent: Thursday, January 02, 2014 10:58 AM
To: Angel Roberto Castaneda
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Certificate question

Angel,

When you upload the new CA-signed tomcat certificate, the tomcat-trust certificates should be updated on all the other nodes in the cluster to reflect the new publisher certificate via the Certificate Change Notification Service.

Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Angel Roberto Castaneda
Sent: Thursday, January 02, 2014 10:54 AM
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Certificate question

Would this cause any issues in a cluster?

For example, if you were to upload the certificate to the publisher, would the subscriber have a problem with a different certificate being used now?

Angel Roberto Castaneda

On Thu, Jan 2, 2014 at 7:14 AM, Joe Martini <joemar2 at cisco.com<mailto:joemar2 at cisco.com>> wrote:
James,

You do not have to get your certificate issued by Thwate, GoDaddy, Verisign, etc, you can use your internal Certificate Authority (CA) server instead.  In order to do this, you would need to create a Certificate Signing Request (CSR) for Tomcat on your CUCM server(s) and get a certificate generated based on the CSR.  Here's a great guide with instructions for how to generate the CSR, get it internally signed, and re-uploaded to CUCM, https://supportforums.cisco.com/docs/DOC-6119.

You could apply a new certificate to all your servers by using this same process for each server in your cluster, or you can install a new certificate on only the server users usually access to fix the certificate warning that is displayed.

Note that if you do use an internal server to issue the certificate, the client computers and/or browsers need to have the root certificate (issuing server's certificate) installed.  If you are using Active Directory and Internet Explorer the certificates should already be in place on each computer that has joined the domain.  For non-Windows computers or other browsers such as Firefox, the issuing servers certificate would have to be added to the certificate store the browser uses.  Lastly once everything is in place, the URL used to access the servers has to be a hostname.  Even if all the certificates are in place, using an IP address for the URL to access the servers will cause the certificate error to appear.

Joe


On Jan 2, 2014, at 6:59 AM, James Dust <james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>> wrote:

Hi there,

I have a certificate question I need help with as I haven't either created or uploaded one to our CUCM cluster before (cucm 8.1.3)

When navigating to either the administration page or end user page for the first time any user within our network is presented with an error message stating the website is now trusted. Now it's no problem as it can be entered through but for my own knowledge I would like to resolve this.

My first question is do we need to export a certificate and get it to Thwate or someone like that, or can I just self-sign the certificate as it is just an internal network resource to us.

My second question is what do I need to export?

Kind regards

James



Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140102/938b150b/attachment.html>


More information about the cisco-voip mailing list