<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hey Nick,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Check the root CA cert in your trust store. Is it signed with MD5withRSA? The Java system built into CUCM dropped support for this cert signing algorithm after CUCM 11.0. We had the same issue and it was a hard stop because it broke AXL integration with UCCX while upgrading 11.0 to 11.6.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I believe CACert did resign their root with SHA256, but for some reason, they aren’t pushing it out for all certs. There’s a FAQ on their website here: http://wiki.cacert.org/FAQ/Class3Resign</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Daniel</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:cisco-voip@puck.nether.net">Nick via cisco-voip</a><br><b>Sent: </b>Thursday, March 8, 2018 1:17 PM<br><b>To: </b><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br><b>Subject: </b>[cisco-voip] CA Certs applied to CUCM & IMP</p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then generated Multi SAN Tomcat certs and applied these to the servers which are working fine when I browse to any of the nodes.</p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Since applying the certs the the nodes under the DefaultSubCluster on the presence Topology page are showing with red crosses and the services for each node are showing as Unknown.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The Presence Redundancy group in CUCM is showing as both nodes in normal state and IM&P is working correctly.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The system troubleshooter is reporting </p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Could not determine the status of the Cisco IM and Presence Data monitor Service on the following nodes and XCP Troubleshooter shows</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The Cisco XCP Connection Manager and Cisco XCP Authentication Service is currently down but both of the services are started up.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>All is working as expected so is cosmetic but needs resolving.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Anyone had similar issues after applying CA signed certs?</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards</p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal>Nick </p><p class=MsoNormal><o:p> </o:p></p></div></body></html>