Cisco Call Manager Csr No Longer Exists After Cert Is Uploaded
Manage Certificates
Certificates Overview
Your system uses self-signed- and third-party-signed certificates. Certificates are used between devices in your system to securely authenticate devices, encrypt data, and hash the data to ensure its integrity from source to destination. Certificates permit for secure transfer of bandwidth, communication, and operations.
The most important part of certificates is that you know and define how your data is encrypted and shared with entities such as the intended website, phone, or FTP server.
When your organisation trusts a certificate, this means that there is a preinstalled certificate on your system which states information technology is fully confident that it shares information with the correct destination. Otherwise, information technology terminates the communication between these points.
In order to trust a certificate, trust must already be established with a third-party certificate authority (CA).
Your devices must know that they can trust both the CA and intermediate certificates first, before they can trust the server certificate presented by the exchange of letters called the secure sockets layer (SSL) handshake.
Tertiary-Party Signed Certificate or Document Concatenation
Upload the document dominance root certificate of the certificate authority that signed an application certificate. If a subordinate certificate authority signs an application certificate, yous must upload the document authority root document of the subordinate certificate dominance. You tin can besides upload the PKCS#vii format certificate chain of all document dominance certificates.
You can upload certificate say-so root certificates and application certificates by using the aforementioned Upload Certificate dialog box. When you lot upload a certificate authority root certificate or certificate chain that contains only certificate authorization certificates, choose the certificate proper noun with the format certificate blazon-trust. When y'all upload an awarding certificate or certificate chain that contains an application certificate and certificate dominance certificates, choose the certificate name that includes simply the certificate type.
For instance, choose tomcat-trust when you upload a Tomcat certificate authority document or certificate authority certificate chain; choose tomcat when you lot upload a Tomcat awarding certificate or certificate chain that contains an application certificate and document authorization certificates.
When you upload a CAPF certificate say-so root certificate, information technology is copied to the CallManager-trust shop, and then you practise not need to upload the certificate dominance root document for CallManager separately.
 Note | Successful upload of third-party certificate authority signed certificate deletes a recently generated CSR that was used to obtain a signed certificate and overwrites the existing certificate, including a third-party signed certificate if one was uploaded. |
| Note | The system automatically replicates tomcat-trust, CallManager-trust and Telephone-SAST-trust certificates to each node in the cluster. |
| Note | You can upload a directory trust certificate to tomcat-trust, which is required for the DirSync service to work in secure way. |
Tertiary-Party Certificate Say-so Certificates
To use an application certificate that a 3rd-political party certificate dominance issues, you must obtain both the signed application certificate and the certificate authorization root document from the certificate authority or PKCS#7 certificate concatenation (distinguished encoding rules [DER]), which contains both the application certificate and certificate authority certificates. Think information nigh obtaining these certificates from your certificate authorization. The process varies among certificate regime. The signature algorithm must utilize RSA encryption.
Cisco Unified Communications Operating System generates CSRs in privacy enhanced mail (PEM) encoding format. The system accepts certificates in DER and PEM encoding formats and PKCS#7 Certificate chain in PEM format. For all document types except certificate potency proxy part (CAPF), you lot must obtain and upload a certificate authority root certificate and an application document on each node.
For CAPF, obtain and upload a certificate authority root certificate and an application certificate only on the start node. CAPF and Unified Communications Managing director CSRs include extensions that you must include in your request for an awarding certificate from the certificate authority. If your certificate potency does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:
-
The CAPF CSR uses the following extensions:
X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Cardinal Usage: Digital Signature, Certificate Sign
-
The CSRs for Tomcat use the following extensions:
Note
Tomcat does not require the central understanding or IPsec terminate system key usage.
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec Finish Organisation X509v3 Cardinal Usage: Digital Signature, Central Encipherment, Data Encipherment, Central Agreement
-
The CSRs for IPsec use the following extensions:
X509v3 Extended Cardinal Usage: TLS Web Server Authentication, TLS Web Client Hallmark, IPSec End Arrangement X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
-
The CSRs for Unified Communications Manager employ the post-obit extensions:
X509v3 Extended Primal Usage: TLS Web Server Hallmark, TLS Spider web Client Authentication X509v3 Central Usage: Digital Signature, Central Encipherment, Information Encipherment, Fundamental Understanding
| Note | You can generate a CSR for your certificates and have them signed past a tertiary party certificate authorisation with a SHA256 signature. You can so upload this signed certificate back to Unified Communications Director, allowing Tomcat and other certificates to support SHA256. |
Show Certificates
Use the Show Certificates to view document and trust store details that vest to your arrangement. You can view the Common Proper name, Type, Fundamental Type, Distribution, Issued Past, Expiration date and also the clarification of the certificates.
Procedure
| Stride 1 | From Cisco Unified OS Administration, choose . |
| Step 2 | Click Notice. |
| Footstep iii | To view certificate or trust shop details, click the common name of the certificate. |
| Step iv | Click Close to close the pop-up window and return to the Certificate List page. |
Download Certificates
Use the download certificates job to accept a copy of your document or upload the certificate when yous submit a CSR asking.
Procedure
| Pace ane | From Cisco Unified Os Administration, cull . |
| Step 2 | Specify search criteria and and so click Notice. |
| Step 3 | Cull the required file name and Click Download. |
Install Intermediate Certificates
To install an intermediate document, yous must install a root certificate get-go and so upload the signed certificate. This step is required only if the certificate authorisation provides a signed certificate with multiple certificates in the document chain.
Procedure
| Pace 1 | From Cisco Unified Bone Administration, click . | ||
| Pace 2 | Click Upload Certificate / Certificate Chain. | ||
| Stride 3 | Cull the advisable trust shop from the Certificate Purpose drop-down list to install the root document. | ||
| Step iv | Enter the description for the certificate purpose selected. | ||
| Step v | Cull the file to upload past performing one of the following steps:
| ||
| Stride vi | Click Upload. | ||
| Step vii | Admission the Cisco Unified Intelligence Eye URL using the FQDN later you install the customer certificate. If you access the Cisco Unified Intelligence Eye using an IP address, you lot volition see the bulletin "Click here to continue", fifty-fifty after you lot successfully install the custom certificate.
|
Delete a Trust Document
A trusted certificate is the only type of certificate that you can delete. You lot cannot delete a cocky-signed document that is generated by your system.
 Caution | Deleting a certificate can bear on your system operations. It tin can also break a certificate chain if the certificate is part of an existing concatenation. Verify this relationship from the username and subject name of the relevant certificates in the Certificate List window. You lot cannot undo this action. |
Process
| Step 1 | From Cisco Unified Os Administration, choose . | ||
| Step 2 | Utilize the Find controls to filter the document list. | ||
| Footstep iii | Choose the filename of the certificate. | ||
| Step four | Click Delete. | ||
| Step five | Click OK.
|
Regenerate a Certificate
We recommend you to regenerate certificates earlier they elapse. You will receive warnings in RTMT (Syslog Viewer) and an e-mail notification when the certificates are well-nigh to expire.
However, you can also regenerate an expired certificate. Perform this task afterward concern hours, considering you must restart phones and reboot services. Y'all can regenerate only a certificate that is listed as type "cert" in Cisco Unified OS Administration
| Caution | Regenerating a certificate can affect your organization operations. Regenerating a certificate overwrites the existing document, including a third-party signed certificate if 1 was uploaded. |
Procedure
| Step 1 | From Cisco Unified Bone Administration, choose . | ||||
| Stride 2 | Configure the fields on the Generate New Self-Signed Certificate window. See online assist for more information about the fields and their configuration options. | ||||
| Step 3 | Click Generate. | ||||
| Step 4 | Restart all services that are affected by the regenerated document. | ||||
| Footstep 5 | Rerun the CTL customer (if configured) after y'all regenerate the CAPF, ITLRecovery Certificates or CallManager Certificates.
|
Certificate Names and Descriptions
The post-obit table describes the organization security certificates that you can regenerate and the related services that must be restarted. For data near regenerating the TFTP certificate, see the Cisco Unified Communications Manager Security Guide at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-listing.html.
| Name | Description | Related Services |
|---|---|---|
| tomcat | This self-signed root certificate is generated during installation for the HTTPS node. | Tomcat, CallManager Service and TFTP |
| ipsec | This self-signed root certificate is generated during installation for IPsec connections with MGCP and H.323 gateways. | Cisco Disaster Recovery System (DRS) Local and Cisco DRF Master DR Backup and Restore services |
| CallManager CallManager-ECDSA | This self-signed root certificate is installed automatically when you lot install Unified Communications Director. This document provides node identification, including the node name and the global unique identifier (GUID). | CallManager, CAPF, Phone Verification and CTI |
| CAPF | The system copies this root certificate to your node or to all nodes in the cluster later yous complete the Cisco customer configuration. | CallManager and CAPF |
| TVS | This is a self-signed root certificate. | Phone/Endpoints - ITL files |
Upload Certificate or Document Chain
Upload any new certificates or certificate chains that you want your organization to trust.
Procedure
| Stride i | From Cisco Unified Bone Administration, choose . | ||
| Step 2 | Click Upload Certificate/Document Chain. | ||
| Pace 3 | Cull the certificate proper noun from the Certificate Purpose drop-down list. | ||
| Step 4 | Choose the file to upload past performing i of the post-obit steps:
| ||
| Pace five | To upload the file to the server, click Upload File.
|
Manage Third-Party Certificate Authorization Certificates
This job menses provides an overview of the third-party certificate procedure, with references to each step in the sequence. Your system supports certificates that a third-party certificate authority issues with a PKCS # x certificate signing request (CSR).
Procedure
| Command or Activeness | Purpose | |
|---|---|---|
| Footstep 1 | Generate a Certificate Signing Request | Generate a Certificate Signing Request (CSR) which is a block of encrypted text that contains certificate application information, public central, organization name, common name, locality, and country. A certificate dominance uses this CSR to generate a trusted document for your system. |
| Step 2 | Download a Certificate Signing Request | Download the CSR subsequently y'all generate information technology and have it ready to submit to your certificate authority. |
| Step 3 | Run into your certificate authorization documentation. | Obtain application certificates from your certificate authorisation. |
| Stride 4 | Come across your certificate potency documentation. | Obtain a root certificate from your certificate authority. |
| Step v | Add Certificate Authority-Signed CAPF Root Certificate to the Trust Store | |
| Step half dozen | Upload Certificate or Document Chain | Upload the certificate authority root certificate to the node. |
| Stride seven | If you updated the document for CAPF or Cisco Unified Communications Manager, generate a new CTL file. | See the Cisco Unified Communications Manager Security Guide at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html. Rerun the CTL client (if configured) after you upload the third-party signed CAPF or CallManager certificate. |
| Step 8 | Restart a Service | Restart the services that are affected by the new certificate. For all certificate types, restart the corresponding service (for example, restart the Cisco Tomcat service if you updated the Tomcat certificate). |
Generate a Certificate Signing Request
Generate a Certificate Signing Request (CSR) which is a block of encrypted text that contains certificate application information, public fundamental, arrangement proper name, mutual name, locality, and country. A document potency uses this CSR to generate a trusted certificate for your system.
| Note | If you lot generate a new CSR, you overwrite whatever existing CSRs. |
Procedure
| Step 1 | From Cisco Unified OS Administration, choose . |
| Step 2 | Click Generate CSR. |
| Pace 3 | Configure fields on the Generate Certificate Signing Asking window. See the online help for more information about the fields and their configuration options. |
| Step iv | Click Generate. |
Download a Certificate Signing Request
Download the CSR after you generate it and take it ready to submit to your document authorisation.
Procedure
| Pace i | From Cisco Unified Bone Administration, choose . |
| Step 2 | Click Download CSR. |
| Step three | Choose the certificate proper name from the Certificate Purpose drop-down list. |
| Step 4 | Click Download CSR. |
| Step 5 | (Optional) If prompted, click Salve. |
Add Certificate Authority-Signed CAPF Root Certificate to the Trust Shop
Add the root document to the Unified Communications Director trust shop when using a Document Dominance-Signed CAPF Certificate.
Procedure
| Step 1 | From Cisco Unified Os Assistants, choose . |
| Step 2 | Click Upload Document/Certificate Chain. |
| Pace 3 | In the Upload Certificate/Certificate Concatenation popup window, cull CallManager-trust from the Certificate Purpose drop-down list and browse to the certificate authorisation-signed CAPF root certificate. |
| Step 4 | Click Upload later on the certificate appears in the Upload File field. |
Restart a Service
Utilise this procedure if your system requires that you restart any feature or network services on a particular node in your cluster.
Procedure
| Step 1 | Depending on the service type that yous desire to restart, perform i of the post-obit tasks:
|
| Step 2 | Choose your system node from the Server drop-downwards list, and then click Go. |
| Step 3 | Click the radio button adjacent to the service that you want to restart, and and so click Restart. |
| Step four | After you lot run into the message that indicates that the restart will take some time, click OK. |
Certificate Revocation through Online Certificate Status Protocol
Unified Communications Manager provisions the OCSP for monitoring certificate revocation. System checks for the document status to confirm validity at scheduled intervals and every time in that location is, a document uploaded.
The Online Certificate Status Protocol (OCSP) helps administrators manage their organisation's certificate requirements. When OCSP is configured, it provides a unproblematic, secure, and automated method to check certificate validity and revoke expired certificates in real-time.
For FIPS deployments with Mutual Criteria style enabled, OCSP also helps your system comply with Common Criteria requirements.
Validation Checks
Unified Communications Manager checks the certificate status and confirms validity.
The certificates are validated as follows:
-
Unified Communications Managing director uses the Delegated Trust Model (DTM) and checks the Root CA or Intermediate CA for the OCSP signing attribute. The Root CA or the Intermediate CA must sign the OCSP Certificate to check the condition. If the delegated trust model fails, Unified Communications Manager falls back to the Trust Responder Model (TRP) and uses a designated OCSP response signing certificate from an OCSP server to validate certificates.
Notation
OCSP Responder must exist running to check the revocation status of the certificates.
-
Enable OCSP selection in the Certificate Revocation window to provide the virtually secure means of checking document revocation in real-time. Choose from options to utilise the OCSP URI from a certificate or from the configured OCSP URI. For more information on manual OCSP configuration, see Configure Certificate Revocation via OCSP.
Note
In case of leaf certificates, TLS clients like syslog, FileBeat, SIP, ILS, LBM, and so on send OCSP requests to the OCSP responder and receives the certificate revocation response in real-fourth dimension from the OCSP responder.
One of the following status is returned for the certificate one time the validations are performed and the Common Criteria way is ON.
-
Skillful --The good state indicates a positive response to the status enquiry. At a minimum, this positive response indicates that the certificate is not revoked, only does non necessarily mean that the document was ever issued or that the time at which the response was produced is within the document's validity interval. Response extensions may be used to convey additional data on assertions fabricated by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc.
-
Revoked --The revoked state indicates that the document has been revoked (either permanantly or temporarily (on concur)).
-
Unknown -- The unknown country indicates that the OCSP responder doesn't know about the certificate existence requested.
Note
In Mutual Criteria mode, the connectedness fails in both Revoked likewise as Unknown case whereas the connection would succeed in Unknown response case when Common Criteria is not enabled.
Certificate Monitoring Chore Menses
Complete these tasks to configure the system to monitor certificate status and expiration automatically.
-
Email you when certificates are approaching expiration.
-
Revoke expired certificates.
Procedure
| Control or Action | Purpose | |
|---|---|---|
| Step i | Configure Certificate Monitor Notifications | Configure automated certificate monitoring. The system periodically checks document statuses and emails y'all when a certificate is approaching expiration. |
| Step 2 | Configure Certificate Revocation via OCSP | Configure the OCSP then that the system revokes expired certificates automatically. |
Configure Certificate Monitor Notifications
Configure automated certificate monitoring for Unified Communications Manager or the IM and Presence Service. The arrangement periodically checks the status of certificates and emails you when a certificate is approaching expiration.
| Notation | The Cisco Certificate Decease Monitor network service must exist running. This service is enabled past default, merely you lot can confirm the service is running in Cisco Unified Serviceability by choosing and verifying that the Cisco Certificate Expiry Monitor Service status is Running. |
Procedure
| Step 1 | Log in to Cisco Unified OS Assistants (for Unified Communications Manager certificate monitoring) or Cisco Unified IM and Presence Administration (for IM and Presence Service document monitoring). |
| Step 2 | Choose . |
| Pace 3 | In the Notification Start Time field, enter a numeric value. This value represents the number of days earlier certificate expiration where the system starts to notify y'all of the upcoming expiration. |
| Pace 4 | In the Notification Frequency fields, enter the frequency of notifications. |
| Step v | Optional. Bank check the Enable E-mail notification bank check box to have the system send e-mail alerts of upcoming document expirations.. |
| Stride 6 | Check the Enable LSC Monitoring check box to include LSC certificates in the certificate status checks. |
| Step 7 | In the Eastward-postal service IDs field, enter the email addresses where you desire the system to send notifications. You can enter multiple e-mail addresses separated past a semicolon. |
| Step eight | Click Save. |
What to exercise next
Configure the Online Certificate Status Protocol (OCSP) so that the system revokes expired certificates automatically. For details, seeConfigure Document Revocation via OCSP
Configure Certificate Revocation via OCSP
Enable the Online Document Status Protocol (OCSP) to check certificate status regularly and to revoke expired certificates automatically.
Earlier y'all begin
Brand sure that your system has the certificates that are required for OCSP checks. You tin use Root or Intermediate CA certificates that are configured with the OCSP response attribute or you tin can use a designated OCSP signing certificate that has been uploaded to the tomcat-trust.
Process
| Pace 1 | Log in to Cisco Unified OS Administration (for Unified Communications Manager document revocation) or Cisco Unified IM and Presence Administration (for IM and Presence Service certificate revocation). |
| Pace 2 | Choose . |
| Stride 3 | Check the Enable OCSP check box, and perform i of the following tasks:
|
| Step 4 | Cheque the Enable Revocation Check bank check box. |
| Pace 5 | Consummate the Check Every field with the interval period for revocation checks. |
| Stride vi | Click Save. |
| Stride seven | Optional. If you have CTI, IPsec or LDAP links, you must also consummate these steps in addition to the higher up steps to enable OCSP revocation back up for those long-lived connections: |
Troubleshoot Certificate Errors
Before y'all begin
If you encounter an error when you attempt to access Unified Communications Manager services from an IM and Presence Service node or IM and Presence Service functionality from a Unified Communications Director node, the source of the event is the tomcat-trust certificate. The fault bulletin Connection to the Server cannot be established (unable to connect to Remote Node) appears on the following Serviceability interface windows:
-
Service Activation
-
Control Heart - Feature Services
-
Control Eye - Network Services
Use this procedure to help you lot resolve the certificate error. Starting time with the first step and go on, if necessary. Sometime, you may simply accept to complete the first footstep to resolve the error; in other cases, you have to complete all the steps.
Procedure
| Footstep one | From Cisco Unified OS Administration, verify that the required tomcat-trust certificates are present: . If the required certificates are not present, wait 30 minutes before checking again. |
| Step ii | Choose a certificate to view its information. Verify that the content matches with the corresponding certificate on the remote node. |
| Step 3 | From the CLI, restart the Cisco Intercluster Sync Amanuensis service: utils service restart Cisco Intercluster Sync Agent. |
| Step four | After the Cisco Intercluster Sync Amanuensis service restarts, restart the Cisco Tomcat service: utils service restart Cisco Tomcat. |
| Step five | Wait thirty minutes. If the previous steps do not address the document error and a tomcat-trust document is nowadays, delete the document. After you delete the document, yous must manually exchange it past downloading the Tomcat certificate for each node and uploading it to its peers as a tomcat-trust certificate. |
| Step 6 | After the certificate substitution is consummate, restart Cisco Tomcat on each affected server: utils service restart Cisco Tomcat. |
Source: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_0_1/administration/CUCM_BK_A0A10476_00_administration-guide-for-cisco-unified/Manage_Certificates.html