Search this Blog

Thursday, February 18, 2010

Annoying Security Certificate errors every time you enter the CCMAdmin/CCMuser webpages


We are trying to figure out how to stop the Security Certificate errors that come up every time you enter the CCMAdmin/CCMuser webpages. We are running CUCM 7.0.2. Cisco TAC told us to install the certificate (that's presented by the call manager upon loggin in) on the client machine and then access the website using the FQDN of the server. This works, but that means we have to hit every PC that needs access to these pages. Is there anyting that can be done on the server end with the Security Certificates?

You can use a Certificate Authority (CA) signed certificate with CallManager by following these steps:
  1. Download the Root Certificate from your CA (rename the file root) and upload it to CUCM's OS administration page as a "Tomcat-Trust" certificate.
  2. Generate a CSR and select "Tomcat" for the type.
  3. Download the CSR to your PC.
  4. Upload the CSR to your CA server to get it signed (you probably can do that through the 3rd party's website).
  5. Save the signed certificate from the 3rd party back to your computer.
  6. Upload the signed certificate to CallManager from the OS administration page as a "Tomcat" and make sure that you enter in the root certificate field, "root" (what you named the file from step 1, without the quotes).
  7. Restart Cisco Tomcat from the CLI (utils service restart Cisco Tomcat).
There are two kinds of certs in the cert chain - CA certs and end-entity certs. For example, the cert represent your box is "cucm01.acme.local". This is end-entity cert.

"cucm01.acme.local" was issued by a CA called "parent.someCA.com".
"parent.someCA.com" was issued by a CA called "grandparent.someCA.com". And "grandparent.someCA.com" is the top (root) CA.

In this case, you'll need to do the following to upload the certs:
  1. Upload "grandparent.someCA.com" as "Tomcat Trust" cert.
  2. Upload "parent.someCA.com" as "Tomcat Trust" cert.
  3. Upload "cucm01.acme.local" as "Tomcat" cert. In the "Root Certificate" field, you should fill in the .pem file name of its parent. How to find out the .pem file name if the parent? You may list all the certs on the OS admin page > Security > Certificate Management.
Of course, you need to restart "Cisco Tomcat" after that.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

2 comments :

  1. If we have two CA certs as you said like :- "grandparent.someCA.com" to upload as Tomcat-Trust and also "parent.someCA.com" as the Tomcat-Trust so when we would install them the filenames for both would be different.
    So when we would be uploading the "cucm01.acme.local" as Tomcat what file name should we be choosing "root certificate field" so that the server certificate gets linked properly.

    ReplyDelete
  2. Hi Prad,

    Feel free to post your question in www.qsolved.com and our experts will answer your question.

    Chris

    ReplyDelete

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */