UCCX 11.5 Tomcat and Tomcat-ECDSA certificates for Cisco Finesse CUIC and the Admin Pages

I keep hearing about many engineers out there with issues related to the UCCX certificates and the ECDSA certificate used by few services on UCCX. I wanted to create this quick post to help others and Document the procedure.

The certificates Overview

I will go back a bit to give you a quick overview on the UCCX certificates, but not too far back. UCCX uses Self-Signed certificates out of the box for Secure connectivity using your browser (Nothing new here) – However, since UCCX 11.5 there is a new Tomcat Certificate called Elliptic Curve Digital Signature Algorithm, ECDSA for short. If you want to find out more about these type of certificates feel free to visit this webpage

Here is an Image with the Certificate store
NewImage

In other words these type of certificates, the ECDSA were not present before, and now they are (UCCX team thought was cool to add them some how).

The alternative if you don’t want to keep going down the road

So in case you either don’t want to keep reading, or just too cool for Signed Certificates, use the COP file for the ECDSA
The Defect is well documented under the BugID: CSCvb46250

Also go to this page to get a full explanation on the ECDSA – Check this Article
NewImage

The Scenario or the Issue (Challenge… my own words)

You are a happy engineer, and you are planning a UCCX upgrade to 11.5, that is all cool and nice but you discover about these certificates. At this point you know how the story goes:

Find the closest CA available in your Environment
Go to Certificate Authority under Administrative Tools – Go under the Templates and Select it, Right click and Go to Manage
NewImage

At this point the Certificate Templates will show up
Right click the Web Server Template and select Duplicate
NewImage

*** Note that once you select this option, Windows will ask you if you want the Windows Server 2003 or the Windows Server 2008 versions… To save you some time, here is a little hint.
2003 version is what you use to publish the template under http://CA-SERVER/certsrv (Web Enrollment) when requesting an Advanced Certificate **This is the one you use to sign the certificate for your regular Tomcat Certificate
2008 version does not let you publish the certificate template over Web Enrollment **This is what you use to sign your Tomcat-ECDSA certificate

Select 2008, name your Template and go to the Cryptography TAB
NewImage

At this point and before you move forward go to UCCX Os Administration and record all the requirements needed for the Tomcat-ECDSA certificate… in other words, this is what you will use to generate the certificate request. UCCX OS Administration –> Security –> Certificate Management
NewImage

Click on the Generate CSR –> Select Tomcat-ECDSA and record the following:
NewImage

***Make sure you Generate and Download the CSR, we will use it soon…

We will use this information to create our template, so go back to your Windows server and under the Cryptography TAB select the following:
NewImage

Now under the Extensions TAB, select Make sure that under the Application Policies you have the following:
NewImage

Click apply and go back to the Certification Authority window –> Right click the Certificate Templates and New –> Certificate Template to Issue
NewImage

This operation does not add the certificate template to the Web enrollment page, but that is fine, because we are going to use the following method

Open Powershell with Admin rights (Right Click “Run as Administrator”) and enter the following:
C:\Users\admin\Desktop>certreq.exe –submit –attrib “certificateTemplate:ECDSACiscoServers” ecdsa.csr signed-ecdsa.cer

That line assumes that you saved the CSR with the .csr extension (if not do it) – It also assumes that you saved the .csr file to your Desktop and you are loged in with the adminitrator (If not, make sure you change the PATH) – Also assumes that the Certificate will also be saved to the Desktop (if not do it, just to make your life easier)

Go to UCCX and upload the ROOT certificate, not sure where to find it? Go to http://CA-SERVER/Certsrv
NewImage

Make sure this one gets Uploaded to the Tomcats-Trust option
NewImage

The certificate is now ready to be uploaded to the Certificate Store into UCCX ** Make sure you select Tomcat-ECDSA
NewImage

Now what?

If you already did the Tomcat certificate you are good to go, (if not, watch this Post/Video)but keep reading because if you only restart the Tomcat and the Finesse Tomcat service, the CUIC and other services will not work properly.

Restart the UCCX server or Servers for the changes to work properly

Now you are ready to enjoy a Secure session with no browsers giving you issues
NewImage

Finesse
NewImage

CUIC
NewImage

What to look forward to?

I hope you have enjoyed the post and that it was helpful, if you have issues with this, please feel free to send me a quick message and I will do my best to get back with an answer

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

3 thoughts on “UCCX 11.5 Tomcat and Tomcat-ECDSA certificates for Cisco Finesse CUIC and the Admin Pages”

  1. This is excellent! Thank you. If both tomcat and tomcat-ECDSA Signed certificates need to get uploaded at the same time, does order matter? Which to upload first, tomcat or tomcat-ECDSA, given the Root is added first to -trust.

  2. Hi,

    Indeed this is very useful and I wish I found this page first. I have just about figured out how to do this myself, but after the certificate is created the Key Usage has lost its settings from the Template and only showing Digital Signature, Key Agreement (88).

    I also tried including \nKeyUsage:CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE” but it seems to ignore it.

    Have you come accross this or know how to retain the template settings when using certreq?

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top