Certificates are apart of every UC Install these days.. Even more so now with the introduction of Finesse and third-party gadgets. I recently had to install a certificate for the Calibrio AQM Server, rather than you dig through their guides.. I’ve listed the commands you’ll need below. Have fun.
1. Create the certificate signing request.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -certreq -alias jetty -file jetty.csr -ext san=dns:tg2aqm10.topgun2.uplinx
2. Install the CA Root or Chain Certificates.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -trustcacerts -alias TG2PDC -file root-cer.cer
3. Install the signed certificate for the AQM Server.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -alias jetty -file jetty.cer
UPDATE: To increase or specify the length of the key, use the attribute -keysize when generating a CSR.
Certificates are essential for a smooth operating UC environment. Most organisations have an Internal Certificate Authority and most of these CA’s are the Microsoft CA Server. So it does come in handy to know a little about the MS Certificate architecture and enrolment processes.
I’ll run through how to apply a certificate to a Cisco UC Application Server.
1. Browse to the Operating Platform administrator webpage. The navigate to Security -> Certificate Management.
2. Select Generate CSR. A signing request window appears, check the information and then select generate. After the CSR has been generated, close the window.
3. Download the CSR and save it to your PC. The certificate purpose will be “tomcat”.
Sometimes I come across CA’s that do not allow URL signing or the URLs do not work properly. So I always try to gain access to the console/RDP of the CA server and sign the CSR via the cmd line.
4. Transfer the CSR file to the CA Server.
5. Log onto the CSR server. Again you may need to request login right from the Network Administrator.
6. Open the CMD Prompt and type the following.
“certreq -submit -attrib “CertificateTemplate: WebServer” cucm01.csr”. We are basically signing the CSR using the Web Server Template.
7. Select the CA Server to use.
8. Save the newly created certificate as a .cer
9. While staying on the CA Server, navigate to the Certificates MMC and download its Certificate. We will need the CA’s certificate as a trust certificate.
10. Save the CA Cert in the same location as the above certificate.
11. Transfer the two certificates to the your PC.
12. We will now upload the two certificates into the CUCM Server. First we need to upload the CA’s certificate. This is the trust cert.
13. Select Upload Certificate. Select “tomcat-trust”, and navigate to the CA’s certificate. Select Upload.
14. Lets go ahead and upload the actual server certificate now. Change the type to “tomcat” and navigate to the server certificate. Select Upload.
15. You should see the two certificates under Certificate Management.
16. You may have to restart the Tomcat Service from the CLI. (utils service restart Cisco Tomcat)