Create a CSR for the Tomcat Service
From the Cisco Unified OS Administration module. Navigate to Security > Certificate Management. Click Generate CSR.
Select Tomcat from the Certificate Purpose. In the Distribution field, select Multi-Server (SAN).
This option allow you to create a single tomcat certificate for each node on the cluster instead of a separate certificate with its own Common Name, the Publisher HQ-CUCM will populate automatically the Subject Alternative Names with the FQDN of each nodes, in this case the subscriber hq-sub.lab.local and imp-sub1.lab.local.
Click Download CSR. Then, Select Tomcat and click Download CSR.
Create a Certificate from CSR
From your PC, access the CA Server 10.1.5.19 using the url https://10.1.5.19/certsrv.
Click Request a certificate, then click advanced certificate request, you should see the Submit a Certificate Request or Renewal Request page.
Past the CSR content into the Base-64-encoded certificate request field. Click Submit.
Select Base 64 encoded and click Download certificate. Name it CUCM-Cert.
Before uploading the CUCM certificate, you need to download the CA certificate, in the first page, click on Download a CA certificate, certificate chain, or CRL.
Ensure Base 64 isselected and click on Download CA certificate. Name it RootCA.
Below the HQ-CUCM certificate with the appropriate SANs.
Uploading the Certificates to Cisco Unified Communication Manager.
From the Certificate Management page, click Upload Certificate/Certificate Chain.
First you need to upload the CA certificate. Select Tomcat-trust from the Certificate Purpose and click Choose file. Select the CA certificate downloaded previously.
The CA certificate is now uploaded.
Now upload the HQ-CUCM certificate. Select Tomcat from the Certificate Purpose and click Choose File.
Select the HQ-CUCM certificate created previously.
The HQ-CUCM certificate is now uploaded.
SSH to HQ-CUCM, HQ-SUB and imp-sub1 and restart the tomcat service.
Access the hq-cucm GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.
Access the hq-sub GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.
Access the imp-sub1 GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.