[cisco-voip] CA Certs applied to CUCM & IMP

[Daniel Clark]

Hey Nick,

Check the root CA cert in your trust store.  Is it signed with MD5withRSA?  The Java system built into CUCM dropped support for this cert signing algorithm after CUCM 11.0.  We had the same issue and it was a hard stop because it broke AXL integration with UCCX while upgrading 11.0 to 11.6.

I believe CACert did resign their root with SHA256, but for some reason, they aren’t pushing it out for all certs.  There’s a FAQ on their website here:  http://wiki.cacert.org/FAQ/Class3Resign

-Daniel


From: Nick via cisco-voip
Sent: Thursday, March 8, 2018 1:17 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] CA Certs applied to CUCM & IMP

Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then generated Multi SAN Tomcat certs and applied these to the servers which are working fine when I browse to any of the nodes.

Since applying the certs the the nodes under the DefaultSubCluster on the presence Topology page are showing with red crosses and the services for each node are showing as Unknown.

The Presence Redundancy group in CUCM is showing as both nodes in normal state and IM&P is working correctly.

The system troubleshooter is reporting 

Could not determine the status of the Cisco IM and Presence Data monitor Service on the following nodes and XCP Troubleshooter shows

The Cisco XCP Connection Manager and Cisco XCP Authentication Service is currently down but both of the services are started up.

All is working as expected so is cosmetic but needs resolving.

Anyone had similar issues after applying CA signed certs?

Regards

Nick 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180308/1377a50c/attachment.html>