How To Configure Multi-server (SAN) Tomcate certificate on Cisco Unified CM Cluster


Create a CSR for the Tomcat Service

From the Cisco Unified OS Administration module. Navigate to Security > Certificate Management. Click Generate CSR.

Select Tomcat from the Certificate Purpose.  In the Distribution field, select Multi-Server (SAN).

This option allow you to create a single tomcat certificate for each node on the cluster instead of a separate certificate with its own Common Name, the Publisher HQ-CUCM will populate automatically the Subject Alternative Names with the FQDN of each nodes, in this case the subscriber hq-sub.lab.local and imp-sub1.lab.local.

Click Generate.

Click Download CSR. Then, Select Tomcat and click Download CSR.

Create a Certificate from CSR

From your PC, access the CA Server 10.1.5.19 using the url https://10.1.5.19/certsrv.

Click Request a certificate, then click advanced certificate request, you should see the Submit a Certificate Request or Renewal Request page.

Past the CSR content into the Base-64-encoded certificate request field. Click Submit.

Select Base 64 encoded and click Download certificate. Name it CUCM-Cert.

Before uploading the CUCM certificate, you need to download the CA certificate, in the first page, click on Download a CA certificate, certificate chain, or CRL.

Ensure Base 64 isselected and click on Download CA certificate. Name it RootCA.

Below the HQ-CUCM certificate with the appropriate SANs.

Uploading the Certificates to Cisco Unified Communication Manager.

From the Certificate Management page, click Upload Certificate/Certificate Chain.

First you need to upload the CA certificate. Select Tomcat-trust from the Certificate Purpose and click Choose file. Select the CA certificate downloaded previously.

The CA certificate is now uploaded.

Now upload the HQ-CUCM certificate. Select Tomcat from the Certificate Purpose and click Choose File.

Select the HQ-CUCM certificate created previously.

The HQ-CUCM certificate is now uploaded.

SSH to HQ-CUCM, HQ-SUB and imp-sub1 and restart the tomcat service.

Access the hq-cucm GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.

Access the hq-sub GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.

Access the imp-sub1 GUI using a web browser, now the HTTPS access is secured with a valid certificate, no warning certificate error.

Categories: Collaboration

1 comment

  1. You can also add other hosts (for example hq-cuc-1.lab.local and imp-sub2.lab.local for future installations voice mail and imp redundancy) in (image 3) Other Domains via + Add under

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: