<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
So having more certs than need in the Truststore generally wont cause issues, it’s just one more certificate that can potentially be trusted.
<div><br>
</div>
<div>As long as the new certificates are signed by the same internal CA as the one that is currently in the truststore for CUCM (all nodes), then you shouldn’t need to have the identity certificates in the truststore.</div>
<div><br>
</div>
<div>One reason that <i>may have </i>been done is because the original person wasn’t able to get CUCM to properly recognize the internal CA and trust certificates signed by it.</div>
<div><br>
</div>
<div>This could happen if the CA chain was uploaded incorrectly. The root should be uploaded first, then any intermediates.<br>
<br>
<div dir="ltr">Sent from my iPhone</div>
<div dir="ltr"><br>
<blockquote type="cite">On Oct 14, 2019, at 17:40, ROZA, Ariel <Ariel.ROZA@la.logicalis.com> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
h1
{mso-style-priority:9;
mso-style-link:"Título 1 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:24.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h4
{mso-style-priority:9;
mso-style-link:"Título 4 Car";
margin-top:2.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
mso-fareast-language:EN-US;
font-weight:normal;
font-style:italic;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.Ttulo1Car
{mso-style-name:"Título 1 Car";
mso-style-priority:9;
mso-style-link:"Título 1";
font-family:"Calibri",sans-serif;
mso-fareast-language:ES-AR;
font-weight:bold;}
span.Ttulo4Car
{mso-style-name:"Título 4 Car";
mso-style-priority:9;
mso-style-link:"Título 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}
span.EstiloCorreo20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EstiloCorreo24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Ryan,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Both Expressway servers are signed by the internal CA. I have uploaded the root and intermediate certificates, too.<o:p></o:p></p>
<p class="MsoNormal">But I am renewing the certificates on an existing cluster, and whoever instelled it, they manually added the ExpC certs into tomcat-trust.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So, I understand that it would be safe to remove the ExpC certs from tomcat-trust and everything would be working fine?<o:p></o:p></p>
<p class="MsoNormal">What about the use the cluster name/don´t use the cluster name contradiction?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ariel.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="ES" style="mso-fareast-language:ES-AR">De:</span></b><span lang="ES" style="mso-fareast-language:ES-AR"> Ryan Huff <ryanhuff@outlook.com>
<br>
<b>Enviado el:</b> lunes, 14 de octubre de 2019 18:14<br>
<b>Para:</b> ROZA, Ariel <Ariel.ROZA@LA.LOGICALIS.COM><br>
<b>CC:</b> cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net><br>
<b>Asunto:</b> Re: [cisco-voip] Expressway cluster certificates.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Are the expressway-C server using self-signed certificates (I doubt it because you said they are multi-san)?
<span style="mso-fareast-language:ES-AR"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Generally, CUCM doesn’t need to trust the identity certificate (unless it is self signed). In all other cases, CUCM needs to trust the certificate authority the signed the expressway-c certificates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">If for example, GoDaddy signed the SSL certificates for the Expressway-C, CUCM just needs to trust the GoDaddy certificate authority chain.<o:p></o:p></p>
<div>
<p class="MsoNormal">Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>