Select Page

Jabber and Public CA-signed Certificates (Part 2 of 3)

Dishko Hristov

In part 1 we got a general overview of the certification process for Cisco Jabber. In this second of 3 parts, we will discuss how to renew your CA-signed certificates for Cisco Unified Communication Manager (CUCM), Cisco Unified Communication IM and Presence and Cisco Unity Connection.

Public CA Certificate renewals

You can monitor your certificates expiration date through RTMT alarms. Once the time is close to expiration, you need to renew your CA_signed certs with your certificate provider. It is very important that you absolutely need to follow the same procedures again starting with the CSR creation. Unfortunately, we have seen many clients trying to renew existing certificates without generating  a new CSR from the UC server.

Example of RTMT alarm for certificate expiration:

—–Original Message—–

From: RTMT_Admin@company.com [mailto:RTMT_Admin@company.com] 
Sent: October-15-17 8:00 PM
To: RTMT_Alarms <RTMT@company.com>
Subject: [RTMT-ALERT-CUCMCluster] SyslogSeverityMatchFound
At Sun Oct 15 19:00:17 CDT 2017 on node cucm.company.com, the following SyslogSeverityMatchFound events generated:  
SeverityMatch : Critical
MatchedEvent : Oct 15 19:00:00 cucm local7 2 : 345: cucm.company.com: Oct 16 2017 12:00:00 AM.59 UTC :  %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name:tomcat.der Unit:tomcat Type:own-cert Expiration:Sat Oct 21 16:45:39:000 CDT][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=cucm]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID :  
NodeID : cucm
TimeStamp : Sun Oct 15 19:00:00 CDT 2017  
SeverityMatch : Critical
MatchedEvent : Oct 15 19:00:00 cucm local7 2 : 346: cucm.company.com: Oct 16 2017 12:00:00 AM.60 UTC :  %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name: cucm.company.com.der Unit:tomcat-trust Type:own-cert Expiration][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=cucm]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID :  
NodeID : cucm
TimeStamp : Sun Oct 15 19:00:01 CDT 2017


Cisco Unified Communication Manager

  • Log in to the OS admin page of your Cisco CUCM Publisher server.
  • Generate NEW CSR.
  • Navigate to Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate.
Certificate Purpose Tomcat
Distribution Multi-Server(SAN)
Common Name Remove “-ms”
Other Domains Add if any additional domains are required

Once the CSR has been generated a Download CSR button will appear.

  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR.
  • Send the output file to your Certificate Authority for signing.
  • Install Certificate.
  • Navigate to Security > Certificate Management > Upload Certificate/Certificate chain.
Certificate Purpose Tomcat
Upload File Provide the certificate

 

Upload Certificate.png

  • Click on Upload

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select tomcat-trust in the dropdown.

Restart Tomcat

To make changes active, you must restart the Cisco Tomcat service on all cluster nodes. Don’t forget the IM & Presence servers as well, as they are part of your CUCM cluster starting from version 10.x.

The following step will impact all HTTP communications and will affect some services like system provisioning, Jabber login, Directory search, etc.

  • Using an SSH client (putty, SecureCRT), log in to each server.
  • Issue the following CLI command; utils service restart Cisco Tomcat

Cisco Unified Communication IM & Presence

  • Log in to the OS admin page of your IM&P server.
  • Generate NEW CSR.
  • Navigate to Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate
Certificate Purpose Cup-xmpp
Distribution Multi-Server(SAN)
Common Name Remove “-ms”
Other Domains Add if any additional domains are required
  • Once the CSR has been generated a Download CSR button will appear.
  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR. 
  • Send the output file to your Certificate Authority for signing.

Install Certificate

  • Navigate to Security > Certificate Management > Upload Certificate/Certificate chain
Certificate Purpose Cup-xmpp
Upload File Provide the certificate
  •  Click on Upload.

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select cup-xmpp-trust in the dropdown.

Restart Cisco XCP Router service

In order to make changes active, you must restart the Cisco XCP Router service on all IM&Presence server nodes. Restarting XCP router service will impact Jabber functionalities, so you may consider restarting this service after business hours.

Cisco Unity Connection

To Generate CSR:

  • Navigate to OS Admin page, Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate
Certificate Purpose Tomcat
Distribution Multi-Server(SAN)
Common Name Remove “-ms”
Other Domains Add if any additional domains are required

Once the CSR has been generated a Download CSR button will appear.

  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR.
  • Send the output file to your Certificate Authority for signing.

Install Certificate

Navigate to Security > Certificate Management > Upload Certificate/Certificate chain

Certificate Purpose Tomcat
Upload File Provide the certificate

Upload Certificate.png

  •  Click on Upload.

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select tomcat-trust in the dropdown.

Restart Tomcat

In order to make changes active, you must restart the Cisco Tomcat service. The following step will impact all HTTP communications and will affect some services like system provisioning.

Using an SSH client (putty, SecureCRT), login to each server in the list.

Issue the following CLI command; utils service restart Cisco Tomcat

If you are interested in learning more about Cisco Jabber or require assistance within your organization, please contact our Professional Services Team.

Please be sure to check out Part 3 “Jabber and Public CA-signed Certificates,” on how to renew your CA-signed certificates for cisco Expressway-C, Cisco Expressway-E.

November 15, 2017

Dishko Hristov