Jabber and Public CA-signed Certificates (Part 2 of 3)

Posted by Dishko Hristov on Nov 15, 2017 11:34:02 AM

Jabber 2.png

In part 1 we got a general overview of the certification process for Cisco Jabber. In this second of 3 parts, we will discuss how to renew your CA-signed certificates for Cisco Unified Communication Manager (CUCM), Cisco Unified Communication IM and Presence and Cisco Unity Connection.

Public CA Certificate renewals

You can monitor your certificates expiration date through RTMT alarms. Once the time is close to expiration, you need to renew your CA_signed certs with your certificate provider. It is very important that you absolutely need to follow the same procedures again starting with the CSR creation. Unfortunately, we have seen many clients trying to renew existing certificates without generating  a new CSR from the UC server. 

Example of RTMT alarm for certificate expiration:

-----Original Message-----

From: RTMT_Admin@company.com [mailto:RTMT_Admin@company.com] 
Sent: October-15-17 8:00 PM
To: RTMT_Alarms <RTMT@company.com>
Subject: [RTMT-ALERT-CUCMCluster] SyslogSeverityMatchFound
At Sun Oct 15 19:00:17 CDT 2017 on node cucm.company.com, the following SyslogSeverityMatchFound events generated:  
SeverityMatch : Critical
MatchedEvent : Oct 15 19:00:00 cucm local7 2 : 345: cucm.company.com: Oct 16 2017 12:00:00 AM.59 UTC :  %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name:tomcat.der Unit:tomcat Type:own-cert Expiration:Sat Oct 21 16:45:39:000 CDT][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=cucm]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID :  
NodeID : cucm
TimeStamp : Sun Oct 15 19:00:00 CDT 2017  
SeverityMatch : Critical
MatchedEvent : Oct 15 19:00:00 cucm local7 2 : 346: cucm.company.com: Oct 16 2017 12:00:00 AM.60 UTC :  %UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification. Certificate name: cucm.company.com.der Unit:tomcat-trust Type:own-cert Expiration][AppID=Cisco Certificate Monitor][ClusterID=][NodeID=cucm]: Alarm to indicate that Certificate has Expired or Expires in less than seven days AppID : Cisco Syslog Agent ClusterID :  
NodeID : cucm
TimeStamp : Sun Oct 15 19:00:01 CDT 2017


Cisco Unified Communication Manager

  • Log in to the OS admin page of your Cisco CUCM Publisher server.
  • Generate NEW CSR.
  • Navigate to Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate.

Certificate Purpose

Tomcat

Distribution

Multi-Server(SAN)

Common Name

Remove “-ms”

Other Domains

Add if any additional domains are required

Once the CSR has been generated a Download CSR button will appear.

  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR.
  • Send the output file to your Certificate Authority for signing.
  • Install Certificate.
  • Navigate to Security > Certificate Management > Upload Certificate/Certificate chain. 

Certificate Purpose

Tomcat

Upload File

Provide the certificate

 

 Upload Certificate.png

  • Click on Upload

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select tomcat-trust in the dropdown.

Restart Tomcat

To make changes active, you must restart the Cisco Tomcat service on all cluster nodes. Don’t forget the IM & Presence servers as well, as they are part of your CUCM cluster starting from version 10.x.

The following step will impact all HTTP communications and will affect some services like system provisioning, Jabber login, Directory search, etc.

  • Using an SSH client (putty, SecureCRT), log in to each server.
  • Issue the following CLI command; utils service restart Cisco Tomcat

Need help with Cisco Jabber

Cisco Unified Communication IM & Presence

  • Log in to the OS admin page of your IM&P server.
  • Generate NEW CSR.
  • Navigate to Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate 

Certificate Purpose

Cup-xmpp

Distribution

Multi-Server(SAN)

Common Name

Remove “-ms”

Other Domains

Add if any additional domains are required

  • Once the CSR has been generated a Download CSR button will appear.
  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR. 
  • Send the output file to your Certificate Authority for signing.
Install Certificate
  • Navigate to Security > Certificate Management > Upload Certificate/Certificate chain 

Certificate Purpose

Cup-xmpp

Upload File

Provide the certificate

  •  Click on Upload.

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select cup-xmpp-trust in the dropdown.

Restart Cisco XCP Router service

In order to make changes active, you must restart the Cisco XCP Router service on all IM&Presence server nodes. Restarting XCP router service will impact Jabber functionalities, so you may consider restarting this service after business hours.

 


Cisco Unity Connection

To Generate CSR:

  • Navigate to OS Admin page, Security > Certificate Management > Generate CSR
  • Select/enter the following values and click Generate

Certificate Purpose

Tomcat

Distribution

Multi-Server(SAN)

Common Name

Remove “-ms”

Other Domains

Add if any additional domains are required

Once the CSR has been generated a Download CSR button will appear.

  • Click on Download CSR, select Tomcat from the dropdown menu and click on Download CSR.
  • Send the output file to your Certificate Authority for signing.

Install Certificate

Navigate to Security > Certificate Management > Upload Certificate/Certificate chain

Certificate Purpose

Tomcat

Upload File

Provide the certificate


Upload Certificate.png

  •  Click on Upload.

If you receive an error, you may need to upload the Root chain first. Root chain is already installed for the current certificate but could change at the renewal time.

If Root chain must be uploaded, select tomcat-trust in the dropdown.

Restart Tomcat

In order to make changes active, you must restart the Cisco Tomcat service. The following step will impact all HTTP communications and will affect some services like system provisioning.

Using an SSH client (putty, SecureCRT), login to each server in the list.

Issue the following CLI command; utils service restart Cisco Tomcat

If you are interested in learning more about Cisco Jabber or require assistance within your organization, please contact our Professional Services Team. 

Please be sure to check out Part 3 "Jabber and Public CA-signed Certificates," on how to renew your CA-signed certificates forCisco Expressway-C, Cisco Expressway-E.

Was this Article Helpful?

Subscribe to the Stack8 Blog

Topics: Jabber, CUCM, cisco jabber, Cisco CUCM

Don’t miss out. Expert advice straight to your inbox!

Insightful tips, troubleshooting and solutions for your everyday Unified Communications challenges from our team of experts. You can look forward to:

  • Weekly UC tips;
  • Cisco Unified Communications insights;
  • UCCX - Contact Center insights;
  • Network and Security insights;
  • Cisco Release notes and Product reviews.
Join us for free live demo

Recent Posts