PDF(509.9 KB) View with Adobe Reader on a variety of devices
ePub(586.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(447.0 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 11, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to reuse the Multi-SAN Tomcat certificate for CallManager on a Cisco Unified Communications Manager (CUCM) server.
Cisco recommends that you have knowledge of these topics:
Real-Time Monitoring Tool (RTMT)
Identity Trust List (ITL)
The information in this document is based on CUCM 126.96.36.19900-155.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The two main services for CUCM are Tomcat and CallManager. In the earlier versions, different certificates for each service were required for the complete cluster. In CUCM version 14, a new feature was added to reuse the Multi-SAN Tomcat certificate for CallManager service as well. The benefits of using this feature are:
Reduces the cost of getting two certificates signed by a Public Certificate Authority(CA) for one cluster of CA-signed certificates.
This feature reduces the size of the ITL file, thereby reducing the overhead.
Caution: Before you upload a Tomcat certificate, verify Single sign-on (SSO) is disabled. In case it is enabled, SSO must be disabled and re-enabled once the Tomcat certificate regeneration process is finished.
1. Set Tomcat Certificate as Multi-SAN
In CUCM 14, the Tomcat Multi-SAN certificate can be Self-Signed or CA-signed. If your Tomcat certificate is already Multi-SAN, skip this section.
Step 1. Log in to Publisher > Operating System (OS) Administration and navigate to Security > Certificate Management > Generate Self-Signed.
Step 2. Choose Certificate Purpose: tomcat > Distribution: Multi-Server SAN. It auto-populates the SAN domains and the parent domain.
Step 6. In order to upload the CA trust chain, navigate Certificate Management > Upload certificate > Certificate Purpose: tomcat-trust. Set the description of the certificate and browse the trust-chain files.
Step 7. Upload the CA-signed certificate, navigate to Certificate Management > Upload certificate > Certificate Purpose: tomcat. Set the description of the certificate and browse the CA-signed certificate file.
Step 8. Restart the Tomcat service, open a CLI session to all the nodes of the cluster, and run the utils service restart Cisco Tomcat command.
Step 9. Navigate to the Publisher > Cisco Unified Serviceability > Tools > Control Center - Network Services and restart the Cisco DRF Master Service and Cisco DRF Local Service.
Step 10. Navigate to each Subscriber > Cisco Unified Serviceability > Tools > Control Center - Network Services and restart Cisco DRF Local Service.
2. Reuse Tomcat Certificate for CallManager
Caution: For CUCM 14, a new enterprise parameter Phone Interaction on Certificate Update is introduced. Use this field to reset phones either manually or automatically as applicable when one of the TVS, CAPF, or TFTP (CallManager/ITLRecovery) certificates are updated. This parameter is by default set to reset the phones automatically. After regeneration, deletion, and updation of certificates, ensure appropriate services are restarted.
Step 1. Navigate to your CUCM publisher, and then to Cisco Unified OS Administration > Security > Certificate Management.
Step 2. Click Reuse Certificate.
Step 3. From the choose Tomcat type drop-down list, choose tomcat.
Step 4. From the Replace Certificate for the following purpose pane, check the CallManager check box.
Reuse Tomcat Certificate for Other Services Screen
Note: If you choose Tomcat as the certificate type, CallManager is enabled as the replacement. If you choose tomcat-ECDSA as the certificate type, CallManager-ECDSA is enabled as the replacement.
Step 5. Click Finish in order to replace the CallManager certificate with the Tomcat Multi-SAN certificate.
Reuse Tomcat Certificate Successful Message
Step 6. Restart the Cisco HAProxy service, open a CLI session to all the nodes of the cluster, and run the utils service restart Cisco HAProxy command.
Note: In order to determine if the cluster is in Mixed Mode, navigate to Cisco Unified CM Administration > System > Enterprise Parameters > Cluster Security Mode (0 == Non-Secure; 1 == Mixed Mode).
Step 7. If your cluster is in Mixed Mode, open a CLI session to the Publisher node, and run utils ctl update CTLFile command, and reset all the phones of the cluster for the CTL file updates to take effect.
Step 1. Navigate to your CUCM publisher and then to Cisco Unified OS Administration > Security > Certificate Management.
Step 2. Filter by Find Certificate List where: Usage > begins with: identity and click Find.
Step 3. CallManager and Tomcat certificates must end with the same Common Name_Serial Number value.